Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6472
Views
0
Helpful
3
Replies

deny tcp (no connection )

Go to solution
Adam Coombs
Level 1
Level 1

‎01-07-2014 12:39 PM - edited ‎03-11-2019 08:26 PM

Ok I need help with a problem.  I have two firewalls between two networks, one is ASA 5520 (8.2(5)46) and ASA 5510 (9.0(2))

ASA5520 DMZ (192.168.169.x)      ASA5510 (10.65.25.x)

Error message before is from the ASA 5510

%ASA-6-106100: access-list inside.in permitted tcp inside/10.65.25.200(23560) -> outside/192.168.169.10(49663) hit-cnt 1 first hit [0xc12a6053, 0x0]

%ASA-6-106015: Deny TCP (no connection) from 10.65.25.200/23560 to 192.168.169.10/49663 flags SYN ACK  on interface inside

%ASA-6-106015: Deny TCP (no connection) from 10.65.25.200/23560 to 192.168.169.10/49663 flags SYN ACK  on interface inside

I have a server 2008 that i am trying to setup a PRTG probe that is on the DMZ side of Firewall (ASA 5520).

When I trying to started the probe from the 192.168.169.10 to 10.60.25.200

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎01-07-2014 01:00 PM

Also,

A TCP State Bypass configuration on the ASA for this traffic should be possible but I would not really recommend it since the original problem seems to suggest in a problematic network topology that would be better to correct instead of working around it.

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-07-2014 12:46 PM

Hi,

Seems to be a problem with the routing.

The ASA that is generating these log messages has not seen the original TCP SYN from the host 192.168.169.10 to host 10.65.25.200 but sees the TCP SYN ACK reply to the other direction which it drops since it has not seen the TCP SYN

This usually results in a network topology where there is an ASA which has a router or another firewall behind it and there are hosts in this network between the 2 devices. This causes a situation where a host behind the internal router/firewall will pass the original TCP SYN to the host in the network between the network devices and the host sends the TCP SYN ACK to its default gateway which in this situation would be the ASA and the ASA blocks this.

Atleast this it how it seems. Would really need to have a clearer picture of the network topology.

If the above is the situation you would most likely have to change the network setup or resort into NATing the traffic of the source host into the same network with the destination host so that the destination host would not send its traffic to the default gateway (because the host sees the traffic coming from directly connected network and therefore uses ARP to determine where to send the replys)

Hope this helps to narrow down the problem

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎01-07-2014 01:00 PM

Also,

A TCP State Bypass configuration on the ASA for this traffic should be possible but I would not really recommend it since the original problem seems to suggest in a problematic network topology that would be better to correct instead of working around it.

- Jouni

0 Helpful

Go to solution
Adam Coombs
Level 1
Level 1

‎01-10-2014 04:13 PM

I found the problem just need to add a route on the asa5510 network static route

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card