Re: Deny TCP (No connection )

rmv72 · ‎07-02-2005

I've router ( f0/0 - 192.168.16.1) --> connected to PIX ( outside-192.168.16.2,

inside-10.20.0.15).

Part of PIX config-

access-list input permit ip 192.168.16.0 255.255.255.0 10.20.0.0 255.255.252.0

access-list input permit ip 192.168.16.0 255.255.255.0 10.10.0.0 255.255.252.0

static (inside,outside) 10.10.0.0 10.10.0.0 netmask 255.255.252.0 0 0

static (inside,outside) 10.20.0.0 10.20.0.0 netmask 255.255.252.0 0 0

access-group input in interface outside

route inside 10.10.0.0 255.255.252.0 10.20.0.16 2

.................

10.20.0.16 - core switch

----------------

i have server 10.10.0.5 and ping to 192.168.16.1 always was without time out.

But suddenly i had pind with time outs(5-10 replys and 1-2 - lost). A t the moment when i had lost ping i saw on the Pix logs -

Deny TCP (No connection ) from 192.168.16.1:outside to 10.10.0.5:inside

After 15 minutes time outs disappeared . How to explain it?

rmv72 · ‎07-02-2005

i found an explanation of that error -

Log Message%PIX-6-106015: Deny TCP (no connection) from IP_addr/port to IP_addr/port flags.

Explanation This message is logged when the PIX Firewall discards a TCP packet that has no associated connection in the PIX Firewall unit's connection table. PIX Firewall looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the PIX Firewall discards the packet.

Recommended Action None required unless the PIX Firewall receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent.

==============

But how it's possible in worked environment and how to prevent it in future ?