ASA 5505:Static Routing and Deny TCP connection because of bad flag

p.pegouret · ‎09-24-2007

Hi Everybody,

I have a problem. I made a VPN site-2-site with 2 ASA 5505. The VPN works great. And I create a redondant link if the VPN failed.

In fact, I use Dual ISP with route tracking. If the VPN fails, the default route change to an ISDN router, situated on the inside interface.

When I simulated a VPN fail, the ASAs routes switch automatically on backup ISDN routers. If I ping elements, it works great. But when i try TCP connection like telnet, the ASAs deny connections:

%PIX|ASA-6-106015: Deny TCP (no connection) from 172.16.10.57/35066 to 172.16.18.1/23 flags tcp_flags on interface interface_name.

the security appliance discarded a TCP packet that has no associated connection in the security appliance connection table. The security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the security appliance discards the packet.

thanks!

EDIT: On the schema, The interface of the main asa is 172.16.18.148...

didyap · ‎09-28-2007

Check if the xlate timer is set greater than or equal to what the conn timer, so as not to have connections waiting on xlates that no longer exist. To minimize the number of attempts, enable "service resetinbound" . The PIX will reset the connection and make it go away. Without service resetinbound, the PIX Firewall drops packets that are denied and generates a syslog message stating that the SYN was a denied connection.