Hi Matias,

Thanks for your reply.

1) It is a Cisco ASA 5505

2) Correction, the device at 192.168.2.200 is NOT always connected to the network as it is a laptop that comes and goes via wifi. Yes the wifi ap is on the inside network.

3) Results in no output. I don't have this enabled as I didn't think it neccessary. I have always been able to ping and connect to any machine/device on the inside interface network without this enabled, and I still can. I just don't understand why the ASA is all of a sudden saying it is denying inbound TCP connections between machines on the same interface (inside).

"SyslogID 106001 Inbound TCP connection denied from 192.168.2.210/55187 to 192.168.2.200/7680 flags SYN on interface inside"

This shows in the log as a critical error, hence why I am trying to figure out what is going on.

Correct me if I am wrong but doesn't this imply that the machine at 192.168.2.210 is trying to connect to the machine at 192.168.2.200 but the ASA is denying this traffic. Why is this? I thought machines on the inside subnet would be able to communicate with each other. Sorry I am new to a lot of this but learning. 

4) Hosts are in the same interface.

Thanks again

Do you have below command in your Firewall config if not then add and test it 

same-security-traffic permit intra-interface 

Hi Pawan,

Thanks for your reply.  I tried your suggestion and it does resolve the issue however I don't wont to make the change permanent until I understand WHY it is required.  Could you possibly explain why this issue is happening and how your suggested fix is appropriate.

Many thanks

Hi Marc,

Bydefault Firewall not allowed traffic to enter and exit on same interface (here in your case it is inside interface). But the scenario where level 3 interface (gateway for host) configured on Firewall then in that case traffic should enter and exit on same L3 interface (gateway) hence to allow this traffic we required this command.

same-security-traffic

To permit communication between interfaces with equal security levels, or to allow traffic to enter and exit the same interface, use the same-security-traffic command in global configuration mode

Kindly refer below Cisco link and rate for useful Post

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/s1.html#wp1392814

Thanks Pawan it works for me.

Hi! You are right, this flow should not be caught by the ASA. But if you have the log it's because something is wrong with the configuration.

This is the description of the message:

Error Message %ASA-2-106001: Inbound TCP connection denied from IP_address/port to IP_address/port flags tcp_flags on interface interface_name

Explanation An attempt was made to connect to an inside address is denied by the security policy that is defined for the specified traffic type. The IP address displayed is the real IP address instead of the IP address that appears through NAT. Possible tcp_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the ASA, and it was dropped. The tcp_flags in this packet are FIN and ACK.

The tcp_flags are as follows:

ACK—The acknowledgment number was received
FIN—Data was sent
PSH—The receiver passed data to the application
RST—The connection was reset
SYN—Sequence numbers were synchronized to start a connection
URG—The urgent pointer was declared valid

Is the issue always with these two IP? It may be that the problem comes for this reason. Remember, the ASA5505 is a mix of switch and firewall. When you ran "show arp". Do you see OK the table ARP? Maybe the moving of the laptop makes some noise with arp, xlate or conn.

Check this command:

packet-tracer input inside tcp 192.168.2.210 1245 192.168.2.200 7680

Do you have NAT to the flow by internet?
Is the connection denied by spoofing?

Regards.-

Thanks again for taking the time to assist! Much appreciated.

I agree! I wouldn't think the ASA would bother itself with this traffic as it is all on the inside. What puzzles me is if the ASA is denying hosts on the inside the ability to connect to each other then how am I am to remote desktop from one host to another!! 

The issue is not always with these two IPs HOWEVER the destination IP/port is almost ALWAYS 192.168.2.200/7680 which leads me to believe it is something to do with Windows 10 P2P updates as explained here Windows 10 shared updates .

I'm not sure how P2P works but could it be that the src host  (eg 192.168.2.210) is initially connecting to an outside (microsoft) server to get details about machines to send updates to and getting redirected back to the public IP on the outside interface of the ASA which is then trying to forward the packet back to 192.168.2.200 in order to establish communication between 192.168.2.210 and 192.168.2.200 so that the host at 192.168.2.210 can send updates to the host 192.168.2.200?? 

I checked the ARP table and the entries look fine.

The result of the packet trace is as follows and shows the packet is being dropped by an implicit rule.

Result of the command: "packet-tracer input inside tcp 192.168.2.210 1245 192.168.2.200 7680"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.2.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

As suggested by Pawan, 'same-security-traffic permit intra-interface' does work and the traffic is allowed however I am not comfortable about permitting or enabling things without understanding why it is required so I removed it from configuration for now.

Many thanks.