thanks for all!

weichenyang · ‎11-06-2015

Hello：

microsoft access use sql server native client 11 to connect to sql server. cisco asa drop packets.

event log show the reason is first tcp packet on flow does not contain syn.

does anyone can help me?

thanks

Rishabh Seth · ‎11-06-2015

Hi,

This can happen if there is assymetric routing in the network.

Packets for a TCP session should traverse the same ingress and egress interface in order to get processed under same session. Due to assymetric routing the packets can land to differnt interface for a tcp session and firewall will drop it.

Check if the traffic that is getting denied is hitting the firewall on the correct interface.

Share your findings.

Thanks,

R.Seth

Shivapramod M · ‎11-06-2015

Hi,

This is expected behaviour on the firewall. The firewall is a stateful device and it expects the first packet of any TCP connection must have only SYN flag to have value 1 which means the first packet must be a SYN. If the firewall gets any other packet like ACK then it will drop the packet. You have to check your network to see if there is any asymetric routing where request and response takes different path.

From the firewall point of view we can do the tcp state bypass which will resolve the issue, but the firewall will not act as a stateful device for this specific traffic.

Please refer the below document

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118995-configure-asa-00.html

Thanks,

Shivapramod M

weichenyang · ‎11-06-2015

thanks for all!

why is assymetric routing in the network?

client in lan, server in dmz. no any network environment changing.

i will keep on checking on monday.

weichenyang · ‎11-15-2015

everything is fine except odbc link error and asa web admin error.

restart asa, it is ok.