no associated connection in the security appliance table

Unanswered Question
Aug 5th, 2008
User Badges:

Hi,

When I try to ssh to a certain host my connection gets denied for some reason.


I get the following error message:

6 Aug 05 2008 14:26:37 106015 192.168.1.31 192.168.200.2 Deny TCP (no connection) from 192.168.1.31/46587 to 192.168.200.2/22 flags RST on interface inside


The security appliance discarded a TCP packet that has no associated connection in the security appliance table


Any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
robbhanMid Tue, 08/05/2008 - 07:00
User Badges:

I'm not sure the access list are at fault here. Could you be a bit more specific?

andrew.prince@m... Tue, 08/05/2008 - 07:03
User Badges:
  • Green, 3000 points or more

I have seen this in two instances:-


1) A acl on the inside interface blocking ssh access to a host beyond the pix/asa - hence the rst.


2) You are actually trying to ssh to the pix/asa and you have not configured ssh access on the inside interface, the pix/asa will send a rst and not just drop.


I am presuming that it's not option 2, so I would double check acl's.


HTH>

Marwan ALshawi Tue, 08/05/2008 - 07:01
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

can u put ur ACL and nat config

robbhanMid Tue, 08/05/2008 - 23:19
User Badges:

Hi,

I discovered that it doesn't matter what service I connect to. I have an ftp server on the target host and I get the same error message. Any help would be appreciated.





Attachment: 
andrew.prince@m... Wed, 08/06/2008 - 00:07
User Badges:
  • Green, 3000 points or more

since you change the NAT from the inside to the DMZ - did you perform a "clear xlate" ?


Are the relevant services on the machine actually running - have you performed a packet capture on the reomte machine to see if the requests are actually hitting it?


Do you see any hit counters on the acl:-

access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0



Are you able to ping from 192.168.1.x to 192.168.200.x

????

Actions

This Discussion