cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18057
Views
5
Helpful
9
Replies
Highlighted
Cisco Employee

inbound TCP connection denied flags SYN on interface inside

Hi people, here again ,

I am having a problem with the traffic from the inside network to outside network, traffic is being dropped I don't know why or how to fix it. My set up is a s follow:

in the outside network there is a router directly connected to the ASA (through the outside network 10.15.1.x), this router creates a different network that is 172.16.35.x.

I'd need to access from the internal network to the network 172.16.35.x. I can't, packets are dropped with the message:

%ASA-2-106001: Inbound TCP connection denied from IP_address/port to 
IP_address/port flags tcp_flags on interface interface_name


I created an access rule to permit ip traffic from inside to network 172.16.35.x, which is connected to the outside interface through the router
Still not working....

Thanks in advance,

Juan
9 REPLIES 9
Highlighted
Rising star

inbound TCP connection denied flags SYN on interface inside

Hello Juan,

Try packet-tracer feature to find out where is problem.

https://supportforums.cisco.com/docs/DOC-5796

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788

http://www.techrepublic.com/blog/networking/cisco-asa-packet-trace-your-firewall-debug-friend/1482

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions
Highlighted
Mentor

inbound TCP connection denied flags SYN on interface inside

Hi,

Would need to see the configurations.

Based on the error message it would seem to me that this is not a problem with an ACL or NAT.

- Jouni

Highlighted
Cisco Employee

inbound TCP connection denied flags SYN on interface inside

Hi Blau grana and Jouni,

your right, too many time configuring and unconfiguring the box, I miss to add the route in the ASA, is working fine now.

Thanks for your time,

Juan

Highlighted

I had similar issue, and I

I had similar issue, and I fixed it by looking at my security levels.

Highlighted
Beginner

Hi there, 

Hi there, 

i have the same issue as Juan described. I can access to any websites except anything relate to google (gmail,google search, YouTube). 

Deny inbound UDP from internal IP/port to 172.217.9.142/443 flags SYN on interface Inside

any ideas what could cause it?

thanks 

Lee

Highlighted
Contributor

Can you run packet tracer for

Can you run packet tracer for one of the addresses you are having issues accessing ? It should tell where the packet is getting dropped and why.

Highlighted
Beginner

Cofee,

Cofee,

thanks for the quick response. everything worked fine until today. There's nothing changed in the firewall as well as the internal routing. Strange!. please find attached for trace packet:

Lee

Highlighted
Contributor

The packet tracer result that

The packet tracer result that you sent me is dropping the packet due to an ACL configured.

Highlighted
Beginner

Re: The packet tracer result that

im having the same issue as well , trying to go from XXXdmz host to YYYYDMZ a web server https

 

2   10:18:00 106001 10.60.65.1 25812 10.11.167.110 443 Inbound TCP connection denied from 10.60.65.1/25812 to 10.11.167.110/443 flags SYN on interface XXXdmz

 

XXXdmz is sec level 30  as well as the YYYYdmz that in trying to go to. routes are dynamically learned

 

packet-tracer input ccidmz tcp 10.60.65.1 25812 10.11.167.110 443

 

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

 

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

 

Phase: 3

Type: RECURSIVE-ROUTE-LOOKUP

Subtype: Recursive Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

in   10.11.167.0    255.255.255.0   via 172.16.160.1, YYYYDMZ (resolved, timestamp: 528790)

 

Phase: 4

Type: RECURSIVE-ROUTE-LOOKUP

Subtype: Recursive Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

in   172.16.160.0    255.255.255.248 YYYYDMZ

 

Phase: 5

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 172.16.160.1 using egress ifc  YYYYDMZ

 

Phase: 6

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

 

Result:

input-interface: XXXdmz

input-status: up

input-line-status: up

output-interface: YYYYDMZ

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule