https://community.cisco.com/t5/network-security/asa-5510-deny-tcp-no-connection-syn-ack/m-p/1893645#M436708 <HTML><HEAD></HEAD><BODY><P>Yes you are correct.</P><P>Since the initial TCP SYN does not pass through context C1, context C1 will drop the packet because it has never seen that TCP session earlier.</P><P>You would need to ensure that the routing is correct, ie: traffic should traverse the same context and interfaces to complete the TCP session.</P></BODY></HTML> Fri, 18 May 2012 12:09:05 GMT Jennifer Halim 2012-05-18T12:09:05Z https://community.cisco.com/t5/network-security/asa-5510-deny-tcp-no-connection-syn-ack/m-p/1893644#M436706 <P>Hi Community,</P><P></P><P>I'd like to verify some problems with you.</P><P></P><P>I have the following scenario and I'm having some problems.</P><P></P><P>My firewalls are running in multiple context mode.</P><P></P><P>According to my troubleshooting, the problem happens because of the following things:</P><P></P><P><IMG src="https://community.cisco.com/legacyfs/online/legacy/8/8/7/89788-problem.png" alt="problem.png" class="jive-image-thumbnail jive-image" onclick="" width="450" /></P><P></P><P>1- The host 10.15.5.100 do a telnet to 10.0.6.100 using the default gateway that is the context firewall C2;</P><P>2- The packet go to the C2 and is forward throught the interface e0/0 (direct connected);</P><P>3- The packet is delivered direct to the host,without passthrough the context firewall C1;</P><P>4- The host receive the packet and return the answer to the source host 10.15.5.10 using the default gateway 10.0.1.10;</P><P>5- The packet is received by the context firewall C1 and is dropped with the reason Deny TCP (no connection) syn ack;</P><P></P><P>I think the the problem is on step 4, the context C1 receive a packet that didn't pass by it before. Am I right?</P><P></P><P>I'd like to ask for suggestions about this case. How can I do to procede?</P><P></P><P>Thank you very much!!!</P> Mon, 11 Mar 2019 23:08:25 GMT https://community.cisco.com/t5/network-security/asa-5510-deny-tcp-no-connection-syn-ack/m-p/1893644#M436706 Plinio Brandao 2019-03-11T23:08:25Z https://community.cisco.com/t5/network-security/asa-5510-deny-tcp-no-connection-syn-ack/m-p/1893645#M436708 <HTML><HEAD></HEAD><BODY><P>Yes you are correct.</P><P>Since the initial TCP SYN does not pass through context C1, context C1 will drop the packet because it has never seen that TCP session earlier.</P><P>You would need to ensure that the routing is correct, ie: traffic should traverse the same context and interfaces to complete the TCP session.</P></BODY></HTML> Fri, 18 May 2012 12:09:05 GMT https://community.cisco.com/t5/network-security/asa-5510-deny-tcp-no-connection-syn-ack/m-p/1893645#M436708 Jennifer Halim 2012-05-18T12:09:05Z https://community.cisco.com/t5/network-security/asa-5510-deny-tcp-no-connection-syn-ack/m-p/1893646#M436713 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thank you for your help.</P><P></P><P>The problem was solved using this link as reference:</P><P></P><P><A href="http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns_connlimits.html#wp1089825">http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns_connlimits.html#wp1089825</A></P><P></P><P>Regards.</P></BODY></HTML> Thu, 24 May 2012 18:35:42 GMT https://community.cisco.com/t5/network-security/asa-5510-deny-tcp-no-connection-syn-ack/m-p/1893646#M436713 Plinio Brandao 2012-05-24T18:35:42Z