topic I had similar issue, and I in Network Security

inbound TCP connection denied flags SYN on interface inside

Joan Perez Esteban — Tue, 12 Mar 2019 01:42:34 GMT

Hi people, here again ,

I am having a problem with the traffic from the inside network to outside network, traffic is being dropped I don't know why or how to fix it. My set up is a s follow:

in the outside network there is a router directly connected to the ASA (through the outside network 10.15.1.x), this router creates a different network that is 172.16.35.x.

I'd need to access from the internal network to the network 172.16.35.x. I can't, packets are dropped with the message:

%ASA-2-106001: Inbound TCP connection denied from IP_address/port to 
IP_address/port flags tcp_flags on interface interface_name


I created an access rule to permit ip traffic from inside to network 172.16.35.x, which is connected to the outside interface through the router
Still not working....

Thanks in advance,

Juan

inbound TCP connection denied flags SYN on interface inside

blau grana — Mon, 13 May 2013 12:56:44 GMT

Hello Juan,

Try packet-tracer feature to find out where is problem.

https://supportforums.cisco.com/docs/DOC-5796

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788

http://www.techrepublic.com/blog/networking/cisco-asa-packet-trace-your-firewall-debug-friend/1482

Best Regards

Please rate all helpful posts and close solved questions

inbound TCP connection denied flags SYN on interface inside

Jouni Forss — Mon, 13 May 2013 13:00:43 GMT

Hi,

Would need to see the configurations.

Based on the error message it would seem to me that this is not a problem with an ACL or NAT.

- Jouni

inbound TCP connection denied flags SYN on interface inside

Joan Perez Esteban — Mon, 13 May 2013 13:03:55 GMT

Hi Blau grana and Jouni,

your right, too many time configuring and unconfiguring the box, I miss to add the route in the ASA, is working fine now.

Thanks for your time,

Juan

I had similar issue, and I

Claus Juhl Pedersen — Fri, 09 Sep 2016 13:58:52 GMT

I had similar issue, and I fixed it by looking at my security levels.

Hi there,

Ly Cao — Thu, 04 May 2017 00:32:15 GMT

Hi there,

i have the same issue as Juan described. I can access to any websites except anything relate to google (gmail,google search, YouTube).

Deny inbound UDP from internal IP/port to 172.217.9.142/443 flags SYN on interface Inside

any ideas what could cause it?

thanks

Lee

Can you run packet tracer for

cofee — Thu, 04 May 2017 00:36:49 GMT

Can you run packet tracer for one of the addresses you are having issues accessing ? It should tell where the packet is getting dropped and why.

Cofee,

Ly Cao — Thu, 04 May 2017 00:57:11 GMT

Cofee,

thanks for the quick response. everything worked fine until today. There's nothing changed in the firewall as well as the internal routing. Strange!. please find attached for trace packet:

Lee

The packet tracer result that

cofee — Thu, 04 May 2017 01:02:40 GMT

The packet tracer result that you sent me is dropping the packet due to an ACL configured.

Re: The packet tracer result that

JRDIAZ758 — Mon, 12 Feb 2018 16:04:35 GMT

im having the same issue as well , trying to go from XXXdmz host to YYYYDMZ a web server https

10:18:00

106001

10.60.65.1

25812

10.11.167.110

443

Inbound TCP connection denied from 10.60.65.1/25812 to 10.11.167.110/443 flags SYN on interface XXXdmz

XXXdmz is sec level 30 as well as the YYYYdmz that in trying to go to. routes are dynamically learned

packet-tracer input ccidmz tcp 10.60.65.1 25812 10.11.167.110 443

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: RECURSIVE-ROUTE-LOOKUP

Subtype: Recursive Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

in 10.11.167.0 255.255.255.0 via 172.16.160.1, YYYYDMZ (resolved, timestamp: 528790)

Phase: 4

Type: RECURSIVE-ROUTE-LOOKUP

Subtype: Recursive Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

in 172.16.160.0 255.255.255.248 YYYYDMZ

Phase: 5

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 172.16.160.1 using egress ifc YYYYDMZ

Phase: 6

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: XXXdmz

input-status: up

input-line-status: up

output-interface: YYYYDMZ

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Re: The packet tracer result that

Maciej Wlazlinski — Fri, 10 Mar 2023 08:08:52 GMT

I was experiencing the same issue and was screeching my head for hours (or more like two days). Adding and deleting rules messing up with policies, all for nothing. But finally I have figure it out. The solution was trivial.

As it happens ASA by default will reject anything between the interface if the SECURITY LEVEL is THE SAME - sick!!!

As soon as you will set it up to different values traffic is passed. And you can have 5 on Inside and 45 on DMZ or the vice versa, it does not matter as long as they are different.

So, it is worth to check, and hopefully someone will benefit from this tip.

Cheers!

Re: The packet tracer result that

christopherhancock — Mon, 25 Nov 2024 09:42:05 GMT

That was it. Thanks for posting!