Solved: : Deny TCP reverse path check on interface

mahesh18 · ‎05-08-2014

Hi Everyone,

USer is trying to access a server.

HE goes via

USer PC -----------ASA1------------------Lan network ------------ASA2-----Lan network---------Server

PC IP 172.16.90.20

Server IP 172.20.251.8

%ASA-6-302013: Built inbound TCP connection 390737788 for dmz:172.16.90.20/49322 (172.16.90.20/49322) to G:172.20.251.8/443 (172.20.251.8/443)

%ASA-1-106021: Deny TCP reverse path check from 172.20.251.8 to 172.16.90.20 on interface R

Routing on ASA1

route G 172.16.0.0 255.240.0.0 172.16.100.200

ASA2 has logs

%ASA-6-302013: Built outbound TCP connection 150409110 for R:172.20.251.8/443 (172.20.251.8/443) to G:172.16.90.20/49322 (172.16.90.20/49322)

May 07 2014 21:45:58: %ASA-6-302014: Teardown TCP connection 150409110 for R:172.20.251.8/443 to G:172.16.90.20/49322 duration 0:00:30 bytes 0 SYN Timeout

Routing on ASA2

route R 172.20.251.0 255.255.255.0 172.24.100.200

How can i fix this issue?

To me seems routing issue?

Regards

MAhesh

Marvin Rhoads · ‎05-12-2014

Ok, looking closer I see the return traffic is being denied becasue it comes in via interface R:

Deny TCP reverse path check from 172.20.251.8 to 172.16.90.20 on interface R

But your routing says that network should be reached via interface G:

route G 172.16.0.0 255.240.0.0 172.16.100.200

That is asymmetric routing and is not supported by the ASA.

View solution in original post

Poonam Garg · ‎05-08-2014

Hello Mahesh,

The SYN timeout gets logged because of a forced connection termination after 30 seconds that occurs after the three-way handshake completion. This issue usually occurs if the server fails to respond to a connection request, and, in most cases, is not related to the configuration on PIX/ASA.

Check the default gateway of your server.

HTH

mahesh18 · ‎05-10-2014

Hi Poonam,

Server is configured correctly with gateway.As users connected behind ASA2 has no issues.

Regards

Mahesh

Marvin Rhoads · ‎05-11-2014

Mahesh,

Is NAT setup on ASA1? The 101021 syslog message you are getting there could indicate your NAT rules are asymmetric.

mahesh18 · ‎05-11-2014

Hi Marvin,

There is no NAT on ASA1 and also on ASA2.

Regards

MAhesh

Marvin Rhoads · ‎05-12-2014

Ok, looking closer I see the return traffic is being denied becasue it comes in via interface R:

Deny TCP reverse path check from 172.20.251.8 to 172.16.90.20 on interface R

But your routing says that network should be reached via interface G:

route G 172.16.0.0 255.240.0.0 172.16.100.200

That is asymmetric routing and is not supported by the ASA.

mahesh18 · ‎05-13-2014

Hi Marvin,

IT was asymmetric routing issue that has been fixed.

Traffic flow was like this

user ----DMZ_int----ASA1----G_int---------------G_int----------ASA2-------R_int---server

On ASA1 it was coming back on R_int that was due to asymmetric routing.

I fixed the static routing on switch where server is connected to point to int_R for return traffic and that fixed the issue.

Regards

MAhesh