no associated connection in the security appliance table

Unanswered Question
Aug 5th, 2008

Hi,

When I try to ssh to a certain host my connection gets denied for some reason.

I get the following error message:

6 Aug 05 2008 14:26:37 106015 192.168.1.31 192.168.200.2 Deny TCP (no connection) from 192.168.1.31/46587 to 192.168.200.2/22 flags RST on interface inside

The security appliance discarded a TCP packet that has no associated connection in the security appliance table

Any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
robbhanMid Tue, 08/05/2008 - 07:00

I'm not sure the access list are at fault here. Could you be a bit more specific?

I have seen this in two instances:-

1) A acl on the inside interface blocking ssh access to a host beyond the pix/asa - hence the rst.

2) You are actually trying to ssh to the pix/asa and you have not configured ssh access on the inside interface, the pix/asa will send a rst and not just drop.

I am presuming that it's not option 2, so I would double check acl's.

HTH>

robbhanMid Tue, 08/05/2008 - 23:19

Hi,

I discovered that it doesn't matter what service I connect to. I have an ftp server on the target host and I get the same error message. Any help would be appreciated.

Attachment: 

since you change the NAT from the inside to the DMZ - did you perform a "clear xlate" ?

Are the relevant services on the machine actually running - have you performed a packet capture on the reomte machine to see if the requests are actually hitting it?

Do you see any hit counters on the acl:-

access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0

Are you able to ping from 192.168.1.x to 192.168.200.x

????

Actions

This Discussion