ASA connection table.

Unanswered Question
Mar 20th, 2008
User Badges:

Hi All,

I get the following error

%ASA-6-106015: Deny TCP (no connection) from coa-dun-web1-front/80 to sol-dun-hobbit1/50692 flags SYN ACK on interface internal-vlan-20

when I try to connect from sol-dun-hobbit1 to coa-dun-web1-front. Now, there is a slight problem in the topology here. This ASA has two sub-interfaces one of which connects to the "front-end IPs" of the web-boxes it is protecting and another to the back-end IPs. Both Front and Back networks are seperate vlans and terminate(gateway is the ASA) only on the ASA. The problem is, when I connect from sol-dun-hobbit (from an outside interface, here the interface is called management) the packet is transmitted out the asa on vlan 10 (on sub-interface = internal-10) and then the reply comes back on a different sub-interface = internal-20. I cannot do anything bout the packet coming in, Im trying to get the ASA to recognise that the reply is part of an earlier connection attempt, which the ASA doesnt seem to be doing.

Any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
abinjola Fri, 03/21/2008 - 02:18
User Badges:
  • Cisco Employee,

The Sync never flowed in this direction and the firewall did not have the SYn entry in the table but the SYNACK tries to go through the firewall, this violates the stateful nature of firewall and thus you see this log

There is asymmetric routing thats happening and you need to correct that

luqmankondeth Fri, 03/21/2008 - 02:22
User Badges:

I do appreciate that its assymetric routing, at the moment, I have no way to make it symmetric. In checkpoints, you could stop anti-spoofing tests in similar situations. While this is not a spoofing problem, I am tring to find ways to make the ASA relate the connection attempt and reply.

luqmankondeth Fri, 03/21/2008 - 02:57
User Badges:

thanks mate,

that explains a workaround for the problem, however, I donot understand the solution. I cant get any documentation for the "nailed" nat option. Is there any way you could help me out here?

luqmankondeth Fri, 03/21/2008 - 03:25
User Badges:

False alarm, I couldnt get the nailed option to work.

for those intersted , I found this on cisco,

Check section on Assymetric routing.

However, I couldnt use this either, I think that was because of license issues.

Anyway, I am now using just plain nat, to fool the webservers so that symmetric routing does take place. This is not ideal (symmetric routing is, but not the nat), however, Ive got no other solution right now.

abinjola Fri, 03/21/2008 - 03:43
User Badges:
  • Cisco Employee,

nailed option is to bypass security check b ut for that you need failover license to decrease the failver timeout -1


This Discussion