connectivity problem

mmitgroup · ‎12-22-2010

Hi all,

I am facing connectivity problem for connections between 2 offices. Server from my office A need to establish connetions to a particular server in office B for data pull. However data pull always fail. Below is the error logged.

Deny TCP (no connection) from 202.x.x.x/1433 to 20.x.x.x/27728 flags FIN PSH ACK on interface outside

Does the above indicate there is a config problem on the firewall of either office? 1 of the office use asa 5510 while the other use pix.

The rules on both firewall are configured to allow this connection. So far out of 10 tries there is only 1 successful data pull. Hence configuration should not be a problem. There were no config changes so far ever since the first try. Could this be a routing problem that my isp can rectify? Pls advise. Thks in advance.

Yudong Wu · ‎12-23-2010

Based on error message, the FIN packet was dropped because there was no active connection to match this tcp traffic flow. This is normal behavior since FW will only process SYN packet if there is no active connection.

The best way to troubleshoot this is to do the packet capture on ASA and then compare the working and non-working scenario. You can use packet-tracer command to check how the packet is handled by ASA as well.

Kureli Sankar · ‎12-23-2010

Wen,

You need to get the syslogs and look for the Built and Tread down syslogs in particular and see if the 106015 syslog that you are talking about is after the teardown syslogs. If so, then it is very clear that after the connection gets torn down the firewall receives this FIN PUSH ACK packet for which the ASA does not have a connection in the table to send this packet through and there fore drops it.

Dont' miss my ATE event Starts January 3, 2011 : https://supportforums.cisco.com/community/netpro/ask-the-expert

-KS