https://community.cisco.com/t5/network-security/asa-denying-tcp-traffic/m-p/2135351#M395229 <HTML><HEAD></HEAD><BODY><P>Hello Remco,</P><P></P><P>The thing here is that the ASA is torning a connection down as he is receiving a Reset packet from an inside host.</P><P></P><P>Nov 21 18:31:12 vpn : Nov 21 18:31:12 CEST: %ASA-session-6-302014: Teardown TCP connection 10627309 for outside:199.38.223.43/443 to inside:10.0.4.51/50978 duration 0:00:09 bytes 722969 <EM><STRONG style="text-decoration: underline; ">TCP Reset-I</STRONG></EM></P><P></P><P><EM><STRONG style="text-decoration: underline; "><BR /></STRONG></EM></P><P>Now I would recommend you to do captures in order to determine if is the ASA the one sending the TCP reset packet as this is expected when you have the "service reset command".</P><P></P><P>Regarding the TCP statebypass, yes that could solve it but my recommendation would be to track this down by creating captures but you could try the TCP statebypass is this is need it ASAP</P><P></P><P>Regards,</P><P></P><P>Julio</P></BODY></HTML> Fri, 23 Nov 2012 00:43:41 GMT Julio Carvajal 2012-11-23T00:43:41Z https://community.cisco.com/t5/network-security/asa-denying-tcp-traffic/m-p/2135350#M395225 <P>Some of my users were complaining their software was not working correct. It retrieves file from a remote host and then constructs a model from these files. Retrieving and constructing behind our ASA5510 resulted in a corrupt model while the same actions at home (where they don't have a ASA) always works.</P><P>I tracked down (at least i think i did) the problem to these messages from the syslog:</P><P><SPAN style="font-family: courier new,courier;">Nov 21 18:31:02 vpn : Nov 21 18:31:02 CEST: %ASA-session-6-302013: Built outbound TCP connection 10627309 for outside:199.38.223.43/443 (199.38.223.43/443) to inside:10.0.4.51/50978 (10.0.4.51/50978) </SPAN></P><P><SPAN style="font-family: courier new,courier;">Nov 21 18:31:12 vpn : Nov 21 18:31:12 CEST: %ASA-session-6-302014: Teardown TCP connection 10627309 for outside:199.38.223.43/443 to inside:10.0.4.51/50978 duration 0:00:09 bytes 722969 TCP Reset-I </SPAN></P><P><SPAN style="font-family: courier new,courier;">Nov 21 18:31:12 vpn : Nov 21 18:31:12 CEST: %ASA-session-6-106015: Deny TCP (no connection) from 199.38.223.43/443 to 10.0.4.51/50978 flags FIN ACK&nbsp; on interface outside </SPAN></P><P><SPAN style="font-family: courier new,courier;">Nov 21 18:31:12 vpn : Nov 21 18:31:12 CEST: %ASA-session-6-106015: Deny TCP (no connection) from 199.38.223.43/443 to 10.0.4.51/50978 flags ACK&nbsp; on interface outside </SPAN></P><P><SPAN style="font-family: courier new,courier;">Nov 21 18:31:38 vpn : Nov 21 18:31:38 CEST: %ASA-session-6-302013: Built outbound TCP connection 10627324 for outside:199.38.223.43/443 (199.38.223.43/443) to inside:10.0.4.51/50979 (10.0.4.51/50979) </SPAN></P><P><SPAN style="font-family: courier new,courier;">Nov 21 18:31:43 vpn : Nov 21 18:31:43 CEST: %ASA-session-6-302014: Teardown TCP connection 10627324 for outside:199.38.223.43/443 to inside:10.0.4.51/50979 duration 0:00:05 bytes 418328 TCP FINs</SPAN></P><P></P><P>I think the connection is not nicely closed and the remote host is not sending all files or the cliënt is not retrieving all the files correctly.</P><P></P><P>After searching a lot i added <SPAN style="font-family: courier new,courier;">sysopt connection timedwait</SPAN>, but this does not seem to change anything, i suspected 106028 Deny TCP (Connection marked for deletion) messages, but can't find them in the syslog.</P><P></P><P>My configuration is pretty straightforward with a wireless AP &gt; ASA5510 &gt; Cisco871 &gt; internet so there is no asynchronous routing on our side.</P><P>Cisco Adaptive Security Appliance Software Version 8.4(2)</P><P>Device Manager Version 6.4(5)</P><P></P><P>Can someone help me resolving these Deny TCP messages? Or is the only solution to disable statefull inspection for certain hosts, which is not my preferred solution?</P> Tue, 12 Mar 2019 00:26:54 GMT https://community.cisco.com/t5/network-security/asa-denying-tcp-traffic/m-p/2135350#M395225 mazzzterrr 2019-03-12T00:26:54Z https://community.cisco.com/t5/network-security/asa-denying-tcp-traffic/m-p/2135351#M395229 <HTML><HEAD></HEAD><BODY><P>Hello Remco,</P><P></P><P>The thing here is that the ASA is torning a connection down as he is receiving a Reset packet from an inside host.</P><P></P><P>Nov 21 18:31:12 vpn : Nov 21 18:31:12 CEST: %ASA-session-6-302014: Teardown TCP connection 10627309 for outside:199.38.223.43/443 to inside:10.0.4.51/50978 duration 0:00:09 bytes 722969 <EM><STRONG style="text-decoration: underline; ">TCP Reset-I</STRONG></EM></P><P></P><P><EM><STRONG style="text-decoration: underline; "><BR /></STRONG></EM></P><P>Now I would recommend you to do captures in order to determine if is the ASA the one sending the TCP reset packet as this is expected when you have the "service reset command".</P><P></P><P>Regarding the TCP statebypass, yes that could solve it but my recommendation would be to track this down by creating captures but you could try the TCP statebypass is this is need it ASAP</P><P></P><P>Regards,</P><P></P><P>Julio</P></BODY></HTML> Fri, 23 Nov 2012 00:43:41 GMT https://community.cisco.com/t5/network-security/asa-denying-tcp-traffic/m-p/2135351#M395229 Julio Carvajal 2012-11-23T00:43:41Z