11-06-2015 04:39 AM - edited 03-11-2019 11:50 PM
Hello:
microsoft access use sql server native client 11 to connect to sql server. cisco asa drop packets.
event log show the reason is first tcp packet on flow does not contain syn.
does anyone can help me?
thanks
11-06-2015 04:59 AM
Hi,
This can happen if there is assymetric routing in the network.
Packets for a TCP session should traverse the same ingress and egress interface in order to get processed under same session. Due to assymetric routing the packets can land to differnt interface for a tcp session and firewall will drop it.
Check if the traffic that is getting denied is hitting the firewall on the correct interface.
Share your findings.
Thanks,
R.Seth
 
					
				
		
11-06-2015 05:00 AM
Hi,
This is expected behaviour on the firewall. The firewall is a stateful device and it expects the first packet of any TCP connection must have only SYN flag to have value 1 which means the first packet must be a SYN. If the firewall gets any other packet like ACK then it will drop the packet. You have to check your network to see if there is any asymetric routing where request and response takes different path.
From the firewall point of view we can do the tcp state bypass which will resolve the issue, but the firewall will not act as a stateful device for this specific traffic.
Please refer the below document
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118995-configure-asa-00.html
Thanks,
Shivapramod M
11-06-2015 06:07 PM
thanks for all!
why is assymetric routing in the network?
client in lan, server in dmz. no any network environment changing.
i will keep on checking on monday.
11-15-2015 08:48 PM
everything is fine except odbc link error and asa web admin error.
restart asa, it is ok.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide