Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3043
Views
4
Helpful
7
Replies

ASA connection table.

luqmankondeth
Level 1
Level 1

‎03-20-2008 11:07 AM - edited ‎03-11-2019 05:20 AM

Hi All,

I get the following error

%ASA-6-106015: Deny TCP (no connection) from coa-dun-web1-front/80 to sol-dun-hobbit1/50692 flags SYN ACK on interface internal-vlan-20

when I try to connect from sol-dun-hobbit1 to coa-dun-web1-front. Now, there is a slight problem in the topology here. This ASA has two sub-interfaces one of which connects to the "front-end IPs" of the web-boxes it is protecting and another to the back-end IPs. Both Front and Back networks are seperate vlans and terminate(gateway is the ASA) only on the ASA. The problem is, when I connect from sol-dun-hobbit (from an outside interface, here the interface is called management) the packet is transmitted out the asa on vlan 10 (on sub-interface = internal-10) and then the reply comes back on a different sub-interface = internal-20. I cannot do anything bout the packet coming in, Im trying to get the ASA to recognise that the reply is part of an earlier connection attempt, which the ASA doesnt seem to be doing.

Any ideas?

Labels:
0 Helpful
7 Replies 7

abinjola
Cisco Employee
Cisco Employee

‎03-21-2008 02:18 AM

The Sync never flowed in this direction and the firewall did not have the SYn entry in the table but the SYNACK tries to go through the firewall, this violates the stateful nature of firewall and thus you see this log

There is asymmetric routing thats happening and you need to correct that

0 Helpful

luqmankondeth
Level 1
Level 1
In response to abinjola

‎03-21-2008 02:22 AM

I do appreciate that its assymetric routing, at the moment, I have no way to make it symmetric. In checkpoints, you could stop anti-spoofing tests in similar situations. While this is not a spoofing problem, I am tring to find ways to make the ASA relate the connection attempt and reply.

0 Helpful

abinjola
Cisco Employee
Cisco Employee
In response to luqmankondeth

‎03-21-2008 02:41 AM

you have a very valid concern and therefore there has been a feature request CSCsj33201 filed to have tcp state check bypasses using MPF

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsj33201+&Submit=Search

rate the posts if it helps !

luqmankondeth
Level 1
Level 1
In response to abinjola

‎03-21-2008 02:57 AM

thanks mate,

that explains a workaround for the problem, however, I donot understand the solution. I cant get any documentation for the "nailed" nat option. Is there any way you could help me out here?

0 Helpful

luqmankondeth
Level 1
Level 1
In response to luqmankondeth

‎03-21-2008 03:01 AM

i think i got it ....

0 Helpful

luqmankondeth
Level 1
Level 1
In response to luqmankondeth

‎03-21-2008 03:25 AM

False alarm, I couldnt get the nailed option to work.

for those intersted , I found this on cisco,

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/failover.html

Check section on Assymetric routing.

However, I couldnt use this either, I think that was because of license issues.

Anyway, I am now using just plain nat, to fool the webservers so that symmetric routing does take place. This is not ideal (symmetric routing is, but not the nat), however, Ive got no other solution right now.

0 Helpful

abinjola
Cisco Employee
Cisco Employee
In response to luqmankondeth

‎03-21-2008 03:43 AM

nailed option is to bypass security check b ut for that you need failover license to decrease the failver timeout -1

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card