https://community.cisco.com/t5/network-security/ssh-connection-is-reseted/m-p/1408447#M747133 <P>Hi,</P><P>ssh connection goes from server1 to server2, between servers is&nbsp; IPSec tunnel ASA1- ASA2</P><P>But connection is reseted, i have tis log message on ASA1</P><P>%PIX|<EM>ASA</EM>-2-<EM>106001</EM>: Inbound TCP connection denied from&nbsp; IP_address/port to IP_address/port flags tcp_flags on interface&nbsp; interface_name</P><P></P><P>flag is SYN</P><P>what should be a reason of reset ssh?</P><P>access-list contains ssh between nodes, so reason can not be in access-list</P><P>ASA1 has ver 8.1.2</P><P></P><P>peter</P> Mon, 11 Mar 2019 17:35:50 GMT pslavkovsky 2019-03-11T17:35:50Z https://community.cisco.com/t5/network-security/ssh-connection-is-reseted/m-p/1408447#M747133 <P>Hi,</P><P>ssh connection goes from server1 to server2, between servers is&nbsp; IPSec tunnel ASA1- ASA2</P><P>But connection is reseted, i have tis log message on ASA1</P><P>%PIX|<EM>ASA</EM>-2-<EM>106001</EM>: Inbound TCP connection denied from&nbsp; IP_address/port to IP_address/port flags tcp_flags on interface&nbsp; interface_name</P><P></P><P>flag is SYN</P><P>what should be a reason of reset ssh?</P><P>access-list contains ssh between nodes, so reason can not be in access-list</P><P>ASA1 has ver 8.1.2</P><P></P><P>peter</P> Mon, 11 Mar 2019 17:35:50 GMT https://community.cisco.com/t5/network-security/ssh-connection-is-reseted/m-p/1408447#M747133 pslavkovsky 2019-03-11T17:35:50Z https://community.cisco.com/t5/network-security/ssh-connection-is-reseted/m-p/1408448#M747139 <HTML><HEAD></HEAD><BODY><P>Peter, can you share the configuration of the both ASA's? That will help in figuring why the ASA denies/drops the SYN packet from your ssh connection.</P><P></P><P>Dmitry.</P></BODY></HTML> Thu, 22 Apr 2010 14:52:19 GMT https://community.cisco.com/t5/network-security/ssh-connection-is-reseted/m-p/1408448#M747139 dtochilovsky 2010-04-22T14:52:19Z https://community.cisco.com/t5/network-security/ssh-connection-is-reseted/m-p/1408449#M747143 <HTML><HEAD></HEAD><BODY><P>You can check if you have command "service resetinbound" or "outbound" in your config.</P><P>An IPS module on the ASA could also send the RST.</P><P></P><P>I hope it helps.</P><P></P><P>PK</P></BODY></HTML> Thu, 22 Apr 2010 21:24:33 GMT https://community.cisco.com/t5/network-security/ssh-connection-is-reseted/m-p/1408449#M747143 Panos Kampanakis 2010-04-22T21:24:33Z https://community.cisco.com/t5/network-security/ssh-connection-is-reseted/m-p/1408450#M747148 <HTML><HEAD></HEAD><BODY><P>ASA 5520 supports ASDM management which is GUI based tool. This provides packet tracer tool</P><P>where you can define source IP, Destination IP, source Interface, Source Port, and Destination Port. This will help you to identify where exactly problem you have. The problem appears to be in reverse NAT or security policy. This would be more clarified by information shared in document</P><P></P><P><A href="http://www.cisco.com/en/US/partner/products/ps6120/products_tech_note09186a00809763ea.shtml">http://www.cisco.com/en/US/partner/products/ps6120/products_tech_note09186a00809763ea.shtml</A></P><P></P><BLOCKQUOTE class="jive-quote"><PRE><STRONG>%PIX|ASA-2-106001: Inbound TCP connection denied from IP_address/port to IP_address/port flags tcp_flags on interface interface_name</STRONG> </PRE></BLOCKQUOTE><P><STRONG>Explanation</STRONG></P><P>This is a connection-related message. This message occurs when an attempt to connect to an inside address is denied by the security policy that is defined for the specified traffic type. Possible <EM>tcp_flags</EM> values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the security appliance, and it was dropped. The <EM>tcp_flags</EM> in this packet are FIN and ACK.</P><P>The <EM>tcp_flags</EM> are as follows:</P><UL><LI><P>ACK—The acknowledgment number was received.</P></LI><LI><P>FIN—Data was sent.</P></LI><LI><P>PSH—The receiver passed data to the application.</P></LI><LI><P>RST—The connection was reset.</P></LI><LI><P>SYN—Sequence numbers were synchronized to start a connection.</P></LI><LI><P>URG—The urgent pointer was declared valid.</P></LI></UL><P>There are many reasons for static translation to fail on the PIX/ASA. But, a common reason is if the demilitarized zone (DMZ) interface is configured with the same security level (0) as the outside interface.</P><P>In order to resolve this issue, assign a different security level to all interfaces</P><P>Refer to <A href="http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intparam.html">Configuring Interface Parameters</A> for more information.</P><P>This error message also appears if an external device sends an IDENT packet to the internal client, which is dropped by the PIX Firewall. Refer to <A href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094317.shtml">PIX Performance Issues Caused by IDENT Protocol</A> for more information </P></BODY></HTML> Thu, 22 Apr 2010 21:47:59 GMT https://community.cisco.com/t5/network-security/ssh-connection-is-reseted/m-p/1408450#M747148 shailesh.h 2010-04-22T21:47:59Z