cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
28091
Views
6
Helpful
11
Replies

inbound TCP connection denied flags SYN on interface inside

Joan Perez Esteban
Cisco Employee
Cisco Employee

Hi people, here again ,

I am having a problem with the traffic from the inside network to outside network, traffic is being dropped I don't know why or how to fix it. My set up is a s follow:

in the outside network there is a router directly connected to the ASA (through the outside network 10.15.1.x), this router creates a different network that is 172.16.35.x.

I'd need to access from the internal network to the network 172.16.35.x. I can't, packets are dropped with the message:

%ASA-2-106001: Inbound TCP connection denied from IP_address/port to 
IP_address/port flags tcp_flags on interface interface_name


I created an access rule to permit ip traffic from inside to network 172.16.35.x, which is connected to the outside interface through the router
Still not working....

Thanks in advance,

Juan
11 Replies 11

blau grana
Level 7
Level 7

Hello Juan,

Try packet-tracer feature to find out where is problem.

https://supportforums.cisco.com/docs/DOC-5796

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788

http://www.techrepublic.com/blog/networking/cisco-asa-packet-trace-your-firewall-debug-friend/1482

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Would need to see the configurations.

Based on the error message it would seem to me that this is not a problem with an ACL or NAT.

- Jouni

Hi Blau grana and Jouni,

your right, too many time configuring and unconfiguring the box, I miss to add the route in the ASA, is working fine now.

Thanks for your time,

Juan

I had similar issue, and I fixed it by looking at my security levels.

Ly Cao
Level 1
Level 1

Hi there, 

i have the same issue as Juan described. I can access to any websites except anything relate to google (gmail,google search, YouTube). 

Deny inbound UDP from internal IP/port to 172.217.9.142/443 flags SYN on interface Inside

any ideas what could cause it?

thanks 

Lee

Can you run packet tracer for one of the addresses you are having issues accessing ? It should tell where the packet is getting dropped and why.

Cofee,

thanks for the quick response. everything worked fine until today. There's nothing changed in the firewall as well as the internal routing. Strange!. please find attached for trace packet:

Lee

The packet tracer result that you sent me is dropping the packet due to an ACL configured.

im having the same issue as well , trying to go from XXXdmz host to YYYYDMZ a web server https

 

2   10:18:00 106001 10.60.65.1 25812 10.11.167.110 443 Inbound TCP connection denied from 10.60.65.1/25812 to 10.11.167.110/443 flags SYN on interface XXXdmz

 

XXXdmz is sec level 30  as well as the YYYYdmz that in trying to go to. routes are dynamically learned

 

packet-tracer input ccidmz tcp 10.60.65.1 25812 10.11.167.110 443

 

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

 

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

 

Phase: 3

Type: RECURSIVE-ROUTE-LOOKUP

Subtype: Recursive Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

in   10.11.167.0    255.255.255.0   via 172.16.160.1, YYYYDMZ (resolved, timestamp: 528790)

 

Phase: 4

Type: RECURSIVE-ROUTE-LOOKUP

Subtype: Recursive Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

in   172.16.160.0    255.255.255.248 YYYYDMZ

 

Phase: 5

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 172.16.160.1 using egress ifc  YYYYDMZ

 

Phase: 6

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

 

Result:

input-interface: XXXdmz

input-status: up

input-line-status: up

output-interface: YYYYDMZ

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

 

 

 

I was experiencing the same issue and was screeching my head for hours (or more like two days). Adding and deleting rules messing up with policies, all for nothing. But finally I have figure it out. The solution was trivial. 

As it happens ASA by default will reject anything between the interface if the SECURITY LEVEL is THE SAME - sick!!! 

As soon as you will set it up to different values traffic is passed. And you can have 5 on Inside and 45 on DMZ or the vice versa, it does not matter as long as they are different.

So, it is worth to check, and hopefully someone will benefit from this tip.

Cheers!

That was it. Thanks for posting!

Review Cisco Networking for a $25 gift card