https://community.cisco.com/t5/network-security/flags-sxaa/m-p/2352630#M308323 <P>Hi All,</P><P></P><P>I am gettig the below logs in one of my ASA when trying to access one destination IP. I have site to site VPN established from this firewall and have </P><P>193.244.75.128/25 added in VPN tunnel encryption. However I am blocking 193.244.75.200/32&nbsp; through tunnel and sending over plain internet. This firewall is behind perimeter firewall. Usually NATing will be happening in perimeter firewall.Since i was not able to access this IP from the desktops which are behind this ODC firewall, I have placed NAT statements in ODC firewall and getting below Logs in ODC firewall.</P><P></P><P> Xlate:</P><P></P><P>&nbsp;&nbsp;&nbsp; TCP PAT from inside:10.222.6.14/54436 to outside:203.99.192.210/54436 flags ri idle 0:00:15 timeout 0:00:30</P><P></P><P>&nbsp;&nbsp;&nbsp; TCP outside&nbsp; 193.244.75.200:443 inside&nbsp; 10.222.6.14:54436, idle 0:00:12, bytes 0, flags sxaA </P><P></P><P>Thanks</P><P>Soumya</P> Tue, 12 Mar 2019 03:09:14 GMT sayast001 2019-03-12T03:09:14Z https://community.cisco.com/t5/network-security/flags-sxaa/m-p/2352630#M308323 <P>Hi All,</P><P></P><P>I am gettig the below logs in one of my ASA when trying to access one destination IP. I have site to site VPN established from this firewall and have </P><P>193.244.75.128/25 added in VPN tunnel encryption. However I am blocking 193.244.75.200/32&nbsp; through tunnel and sending over plain internet. This firewall is behind perimeter firewall. Usually NATing will be happening in perimeter firewall.Since i was not able to access this IP from the desktops which are behind this ODC firewall, I have placed NAT statements in ODC firewall and getting below Logs in ODC firewall.</P><P></P><P> Xlate:</P><P></P><P>&nbsp;&nbsp;&nbsp; TCP PAT from inside:10.222.6.14/54436 to outside:203.99.192.210/54436 flags ri idle 0:00:15 timeout 0:00:30</P><P></P><P>&nbsp;&nbsp;&nbsp; TCP outside&nbsp; 193.244.75.200:443 inside&nbsp; 10.222.6.14:54436, idle 0:00:12, bytes 0, flags sxaA </P><P></P><P>Thanks</P><P>Soumya</P> Tue, 12 Mar 2019 03:09:14 GMT https://community.cisco.com/t5/network-security/flags-sxaa/m-p/2352630#M308323 sayast001 2019-03-12T03:09:14Z https://community.cisco.com/t5/network-security/flags-sxaa/m-p/3330183#M308324 <P>This is an old thread, but for anyone that stumbles on it like I did, I found an answer for my own presentation of this odd behavior.&nbsp;</P> <P>&nbsp;</P> <P>We took a wireshark, and the cipher specs were failing to negotiate for tcp/443 (https). This led to the sxaA flags showing up in the conn, and then quickly disappearing. Because the negotiation is so fast, it's hard to catch in that table.&nbsp;</P> <P>&nbsp;</P> <P>Hope it helps!&nbsp;</P> <P>kyler</P> Tue, 13 Feb 2018 15:56:08 GMT https://community.cisco.com/t5/network-security/flags-sxaa/m-p/3330183#M308324 Kyler Middleton 2018-02-13T15:56:08Z