ASA blocking TCP Traffic...why?

Unanswered Question
Oct 24th, 2007
User Badges:


I'm having a problem with my ASA dropping TCP connections. I have a Websense box going to an ASA, then out to a Nokia/Checkpoint FW, and then to the outside. When I try pinging the outside, it works fine. However, as soon as I try any TCP traffic, the ASA blocks it. I checked the Checkpoint logs and everything is allowed to go through, but once it hits the ASA, it drops. I have all my interfaces set to allow all on the ASA, so I really can't see why it's doing this...

I attached a log file from my Websense box trying to access the internet. Anyone's help appreciated!


6 Oct 24 2007 11:18:42 106015 WEBSENSE Deny TCP (no connection) from WEBSENSE/1118 to flags RST on interface DMZ

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading. Tue, 10/30/2007 - 07:57
User Badges:

hi darkid123.

as described in the syslog-reference for ASAs it looks like asymetric routing!?


Error Message %PIX|ASA-6-106015: Deny TCP (no connection) from IP_address/port to

IP_address/port flags tcp_flags on interface interface_name.

Explanation The security appliance discarded a TCP packet that has no associated connection in the security appliance connection table. The security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the security appliance discards the packet.

Recommended Action None required unless the security appliance receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent.

purohit_810 Wed, 10/31/2007 - 07:42
User Badges:
  • Silver, 250 points or more

Websense is droping your Yahoo website. Open

- Dharmesh


This Discussion