Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4477
Views
0
Helpful
3
Replies

How to resolve Deny TCP (no connection) ACK and FIN ACK messages

jgrubbs
Level 1
Level 1

‎12-16-2010 07:51 AM - edited ‎03-11-2019 12:23 PM

Hello,

We currently have an ASA running 7.2(2).  We have NAT rules setup to change XXX.XXX.93.106 to 10.70.8.31 on port 636 for external LDAP connection.  This rule is working without a problem for two of our external websites.

We are trying to connect to another site but I continue to receieve these messages:

6    Dec 16 2010    10:31:49    106015    75.126.254.94    xxx.xxx.93.106     Deny TCP (no connection) from 75.126.254.94/57631 to xxx.xxx.93.106/636 flags FIN ACK  on interface VPN_Outside

6    Dec 16 2010    10:31:49    106015    75.126.254.94    xxx.xxx.93.106     Deny TCP (no connection) from 75.126.254.94/57631 to xxx.xxx.93.106/636 flags ACK  on interface VPN_Outside

Here are the rules allowing traffic on port 636:

access-list VPN_Outside_access_in extended permit tcp object-group Wikispaces_LDAP host xxx.xxx.93.106 eq ldaps

Here are the IP addresses in Wikispaces_LDAP:

object-group network Wikispaces_LDAP
network-object host 75.126.102.45
network-object host 75.126.254.94
network-object host 208.43.219.254
network-object host 75.126.102.43
network-object host 208.43.219.251
network-object host 75.126.254.93
network-object host 75.126.102.44
network-object host 75.126.254.92
network-object host 208.43.205.127
network-object host 66.228.116.239
network-object host 208.43.219.250

Any ideas?

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Kureli Sankar
Cisco Employee
Cisco Employee

‎12-16-2010 08:18 AM

Jason,

Could you pls. get the syslog for built and teardown for the same 4-tuple?

same sourceIP dest IP and source port and dest port.

-KS

0 Helpful

jgrubbs
Level 1
Level 1
In response to Kureli Sankar

‎12-16-2010 10:35 AM

v6    Dec 16 2010    10:31:49    302013    75.126.254.94    10.70.8.31     Built inbound TCP connection 89414924 for VPN_Outside:75.126.254.94/57631 (75.126.254.94/57631) to Inside:10.70.8.31/636 (xxx.xxx.93.106/636)

The next two messages are the ones I already posted.  There is no teardown of the connection.

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to jgrubbs

‎12-16-2010 11:37 AM

There has to be teardown syslog - 302014. Unless you are not logging that message - do you have "no logging message 302014"?

If so pls. remove that.

I believe you are seeing those 106015 messages because those packets are arriving after the conn has been torn down.

-KS

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card