02-27-2014 02:08 PM - edited 03-11-2019 08:51 PM
Feb 27 2014 17:02:10: %ASA-2-106001: Inbound TCP connection denied from 192.168.211.56/3376 to 200.x.x.x/10000 flags RST on interface visitor |
Feb 27 2014 17:02:04: %ASA-2-106001: Inbound TCP connection denied from 192.168.211.56/3376 to 200.x.x.x/10000 flags ACK on interface visitor |
Feb 27 2014 17:01:58: %ASA-2-106001: Inbound TCP connection denied from 192.168.211.56/3376 to 200.x.x.x/10000 flags SYN on interface visitor |
Hi Everyone,
I was testing new VPN IPSEC Remote connection from our visitor network and got the logs above.
Is these Logs indicate that ASA sees no route from interface name visitor from source 192.168 to 200.x.x?
Remote VPN works fine from the Internet.
Regards
MAhesh
Message was edited by: mahesh parmar
Solved! Go to Solution.
02-27-2014 11:36 PM
Hi Mahesh,
Where is the VPN device located to which the "visitor" user is connecting to?
Is it possibly the same ASA that is showing these logs? That would possibly mean that you are trying to connect to the external interface of the ASA which would be impossible other than from behind that external interface.
Might need more description of the situation and/or see some configurations from the ASA to determine what the sitaution is.
- Jouni
02-28-2014 07:42 AM
Mahesh
In your original post you ask it if might be an issue that the ASA does not see a route for the destination. In my experience when the ASA does not have a route it will have that in the error message. So I do not believe that this issue is a routing issue. I suspect that it is more likely an issue of security level between the interface where you are connected and the interface through which you need to go. Can you identify the security level of the interfaces involved on ASA1? And are any access lists configured on the ASA for those interfaces?
HTH
Rick
02-27-2014 11:36 PM
Hi Mahesh,
Where is the VPN device located to which the "visitor" user is connecting to?
Is it possibly the same ASA that is showing these logs? That would possibly mean that you are trying to connect to the external interface of the ASA which would be impossible other than from behind that external interface.
Might need more description of the situation and/or see some configurations from the ASA to determine what the sitaution is.
- Jouni
02-28-2014 07:34 AM
Hi Jouni,
VPN client works fine from internet.
Setup is
--------ASA1 Internet---------------ASA2 VPN
Internet ASA1 has interface called visitor where my pc is connected and i am trying to VPN to corp network.
This never worked before so i am incharge to make this happen.
I am trying to reach IP 200.x which is of VPN ASAs outside interface.
Regards
MAhesh
02-28-2014 07:42 AM
Mahesh
In your original post you ask it if might be an issue that the ASA does not see a route for the destination. In my experience when the ASA does not have a route it will have that in the error message. So I do not believe that this issue is a routing issue. I suspect that it is more likely an issue of security level between the interface where you are connected and the interface through which you need to go. Can you identify the security level of the interfaces involved on ASA1? And are any access lists configured on the ASA for those interfaces?
HTH
Rick
02-28-2014 07:54 AM
Hi Rick,
Nice to see reply from you.
ASA1 interface visitor where PC is connected has security level 5.
when user connects from internet traffic flows via ASA1 interface outside to interface VPN.
ASA1 interface from which i need to reach ASA2 is VPN and has security level of 5
interface visitor has acl from any to any
Regards
MAhesh
03-05-2014 08:25 AM
Hi Rick,
IT was not routing issue both interfaces of ASA1 (Internet) had same security level.
Changing the security level of one interface fix the problem.
Regards
MAhesh
Message was edited by: mahesh parmar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide