Solved: ASA 5510 Deny TCP (no connection) syn ack

Plinio Brandao · ‎05-17-2012

Hi Community,

I'd like to verify some problems with you.

I have the following scenario and I'm having some problems.

My firewalls are running in multiple context mode.

According to my troubleshooting, the problem happens because of the following things:

1- The host 10.15.5.100 do a telnet to 10.0.6.100 using the default gateway that is the context firewall C2;

2- The packet go to the C2 and is forward throught the interface e0/0 (direct connected);

3- The packet is delivered direct to the host,without passthrough the context firewall C1;

4- The host receive the packet and return the answer to the source host 10.15.5.10 using the default gateway 10.0.1.10;

5- The packet is received by the context firewall C1 and is dropped with the reason Deny TCP (no connection) syn ack;

I think the the problem is on step 4, the context C1 receive a packet that didn't pass by it before. Am I right?

I'd like to ask for suggestions about this case. How can I do to procede?

Thank you very much!!!

Jennifer Halim · ‎05-18-2012

Yes you are correct.

Since the initial TCP SYN does not pass through context C1, context C1 will drop the packet because it has never seen that TCP session earlier.

You would need to ensure that the routing is correct, ie: traffic should traverse the same context and interfaces to complete the TCP session.

Jennifer Halim · ‎05-18-2012

Yes you are correct.

Since the initial TCP SYN does not pass through context C1, context C1 will drop the packet because it has never seen that TCP session earlier.

You would need to ensure that the routing is correct, ie: traffic should traverse the same context and interfaces to complete the TCP session.

Plinio Brandao · ‎05-24-2012

Hi,

Thank you for your help.

The problem was solved using this link as reference:

Regards.