no associated connection in the security appliance table

Unanswered Question
Aug 5th, 2008
User Badges:


When I try to ssh to a certain host my connection gets denied for some reason.

I get the following error message:

6 Aug 05 2008 14:26:37 106015 Deny TCP (no connection) from to flags RST on interface inside

The security appliance discarded a TCP packet that has no associated connection in the security appliance table

Any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
robbhanMid Tue, 08/05/2008 - 07:00
User Badges:

I'm not sure the access list are at fault here. Could you be a bit more specific?

andrew.prince@m... Tue, 08/05/2008 - 07:03
User Badges:
  • Green, 3000 points or more

I have seen this in two instances:-

1) A acl on the inside interface blocking ssh access to a host beyond the pix/asa - hence the rst.

2) You are actually trying to ssh to the pix/asa and you have not configured ssh access on the inside interface, the pix/asa will send a rst and not just drop.

I am presuming that it's not option 2, so I would double check acl's.


Marwan ALshawi Tue, 08/05/2008 - 07:01
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

can u put ur ACL and nat config

robbhanMid Tue, 08/05/2008 - 23:19
User Badges:


I discovered that it doesn't matter what service I connect to. I have an ftp server on the target host and I get the same error message. Any help would be appreciated.

andrew.prince@m... Wed, 08/06/2008 - 00:07
User Badges:
  • Green, 3000 points or more

since you change the NAT from the inside to the DMZ - did you perform a "clear xlate" ?

Are the relevant services on the machine actually running - have you performed a packet capture on the reomte machine to see if the requests are actually hitting it?

Do you see any hit counters on the acl:-

access-list inside_access_in extended permit ip

Are you able to ping from 192.168.1.x to 192.168.200.x



This Discussion