ASA doesn't route the packet

Unanswered Question
Dec 11th, 2007
User Badges:

I have an ASA 5500 and it has a gateway of my Lan.

The asa rotates the packets destined to 2 remote nets toward a router cisco,through a chart of static routes.

The problem is that it only passes the ping toward the remote lan, while all the other protocols and sessions are blocked !!!!

Only ICMP packet are forwarding.

I have capture this message into the ASA log:

" 106015 TCP (no connection) from to flags RST on interface LAN.

Best Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Tue, 12/11/2007 - 10:14
User Badges:
  • Purple, 4500 points or more

Can you post a diagram with IPs?

husycisco Wed, 12/12/2007 - 00:59
User Badges:
  • Gold, 750 points or more


IP adresses in diagram and in you post do not match. Can you correct please?

Also please run

sh run access-group

access-group xxxx in interface inside

If you see a line like above, (xxxx is your acl name) please send the output of

sh run access-list xxxx

husycisco Wed, 12/12/2007 - 00:49
User Badges:
  • Gold, 750 points or more

If this was a routing issue, you would have the following log in syslog

No route to host

This looks like an ACL issue. Is in your inside network (inside interface)? And where is located? DMZ interface?

michelerossi Wed, 12/12/2007 - 01:37
User Badges:


but this is the correct message:

106015 Deny TCP (no connection) from to flags RST on interface LAN.

My first message was correlate to another ASA Log message, where I've the same problem.

husycisco Wed, 12/12/2007 - 01:47
User Badges:
  • Gold, 750 points or more


So can you please post the output of following commands

sh run access-group

access-list xxxx in interface LAN

(xxxx is the name of your ACL)

sh run access-list xxxx

husycisco Wed, 12/12/2007 - 02:30
User Badges:
  • Gold, 750 points or more

Thanks. Please post the output of following also

packet-tracer input tcp LAN 21438 1720 detailed

husycisco Wed, 12/12/2007 - 03:15
User Badges:
  • Gold, 750 points or more

According to packet trace, ASA allows the flow, nothing wrong with ASA. And as I see RST statement in syslog, I suspect the remote client. Maybe restarting the client may work, do you encounter the same issue when you try to reach another client again in that subnet too?

michelerossi Wed, 12/12/2007 - 03:25
User Badges:

I've got the same issue to reach all clients of all remote networks, include the Lan ip address routers.

The ASA version is 8.0.(2).

If I do a traceroute from ASDM Tools from the Lan to the or, it function only if I flag "use ICMP" button

Also I've the same problem into another client with the same ASA (version 8.0.(3)).

husycisco Wed, 12/12/2007 - 05:06
User Badges:
  • Gold, 750 points or more

what happens when you temporarily add

access-list LAN_access_in permit ip any any

husycisco Fri, 12/14/2007 - 03:26
User Badges:
  • Gold, 750 points or more

Michel can you please post the following commands output also ?

traceroute use-icmp



lukasdrbo Thu, 12/20/2007 - 09:35
User Badges:

hi michele,

i have same problem as you, do you have solution for it please ?



fbroussey Tue, 03/18/2008 - 04:20
User Badges:

hi everybody,

I experienced the same issue. My network diagram is similar. Do you find a solution to that problem?

Thanks a lot for your help.

michelcaissie Tue, 03/18/2008 - 08:26
User Badges:

Here, we must understand that the routing capabilities of a ASA is limited compared to a router. Initially a PIX would not allowed a packet to leave an interface on the same

interface that they came in. This was improved by adding the "same-security-traffic permit intra-interface" command, wich i assume you are using. But this does not resolve everything,

because the ASA does not reroute the packet the way a router would , it creates a connection the same way it would if the packet leave the outside interface.Your problem is that

the returning packet doesn't get back to the ASA.

Let see with an example;

(I assume that the PC on the inside have the ASA as the default gateway) make a tcp connection on The SYN hits the ASA wich opens a connection , then route the packet to the MPLS router at

But the returning SYN packet goes directly to the PC because it is Directly Connected to the router. Then the PC sends the ACK to the ASA ( the default gateway)

but it is refused because the ASA never saw the returning SYN . So your TCP connection dies here.

The problem does not occur with icmp because there is no three way handshake and it doesn't matter if the replies doesn't pass through the ASA.

One solution could be to create a sub-interface on the inside interface, configure it on a /22 subnet , put the MPLS router in this subnet and create a static route in the MPLS router for your

inside network. This way it would force all returning traffic to go through the ASA.


This Discussion