Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
818
Views
0
Helpful
3
Replies

ASA 5525X Deny TCP (no connection)

RMcGlew
Level 1
Level 1

‎07-19-2016 11:58 AM - edited ‎03-12-2019 01:02 AM

We recently changed network vendors and have copied the ASA rules for the old interface to the new interface. This allowed us to use both networks for a while, but now we're finding that some traffic -- Apple app deployments and iOS updates in particular -- are running into a Deny TCP (no connection). We've read that this is likely a routing problem, but we don't see it. 

We're posting the 2960 Running-Config (with slight redactions). We're thinking that this would be where the routing issue would be. We probably have other issues here, but we're trying to focus on the Deny TCP/Apple app deployment.

Labels:
Preview file
5 KB
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-19-2016 12:27 PM

Can you share the ASA configuration as well?

0 Helpful

RMcGlew
Level 1
Level 1
In response to Marvin Rhoads

‎07-19-2016 12:51 PM

I'm attaching the ASA configuration. I redacted VPN info and such. I use the GUI to edit.

Preview file
23 KB
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to RMcGlew

‎07-19-2016 12:57 PM

You have two default routes and a variety of NAT statements, some of the latter are deactivated.

Basically, interfaces specified in your active NAT statements need to match up with routing table or else defer to the routing table by using the overriding "route-lookup" argument in the NAT statement.

You can confirm which rules will be used for a given flow using the packet tracer (wizard in the GUI or cli).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card