Connection lan2lan failed

Unanswered Question
Dec 31st, 2008
User Badges:

Hi guys,


I have a problem when try to connect two LAN (one ASA on each LAN)


I have this error----%PIX|ASA-6-106015: Deny TCP (no connection) from IP_address/port to

IP_address/port flags tcp_flags on interface interface_name.


Explanation The security appliance discarded a TCP packet that has no associated connection in the security appliance connection table. The security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the security appliance discards the packet.Recommended Action None required unless the security appliance receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent. ----


I try to apply the comand acess-list nonat, and same-security-traffic permit inter-interface; same-security-traffic permit intra-interface; but nothing happend


Somebody have any idea......

thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dflores83 Fri, 01/02/2009 - 16:33
User Badges:

here the config,


In this case, the ASA only can do ICMP, but not TCP, (ex...the HQ can ping to branch 1 and branch 2.)


The description said:

Deny TCP (no connection) from x.x.x.x/1728 to x.x.x.x/443 flags RST on Interface Inside


and the explanation:

The security appliance discarded a TCP packet that has no associated connection in the security appliance connection table





Attachment: 
JORGE RODRIGUEZ Fri, 01/02/2009 - 16:48
User Badges:
  • Green, 3000 points or more

where is your complete nat exempt access list in config, this is not complete config, post config including acls pertaining to L2L tunnel..


that message simply saids tcp denied from a source that it is probably not part of your l2l tunnel policy.


what network or source from other side of tunnel is trying to access what destination on your inside interface, you need to add remote LAN/source in your l2l interesting traffic nat exempt policy and crypto acl.



regards


dflores83 Mon, 01/05/2009 - 14:23
User Badges:

Hi,

thanks

I was doing your recomendations but, the problem is the same.......this is the new config


some recommendation?



Attachment: 

Actions

This Discussion