advice on asa5520 log

Unanswered Question
Sep 30th, 2010
User Badges:


one of our machine behind asa5520 have strange behalve. the log is:

Deny TCP (no connection) from to flags RST on interface inside

my configure is:

object-group network mytest

  network-object 255.0.0

access-list outside extended permit ip object-group mytest any log

access-list outside extended permit tcp any any eq ssh

Please advice what possible problem can be?

Any comments will be appreciated

Thanks in advace


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Thu, 09/30/2010 - 22:03
User Badges:
  • Cisco Employee,

That means the ASA does not find the matching connection entry for that particular SSH traffic.

A couple of reason why we can see that log:

1) ASA already closes down the connection base on the idle timeout, and when the application sends a RST packet, ASA does not have that connection entry anymore, hence the syslog message. This is normal.

2) ASA has an existing new connection for SSH, however, the application itself is sending a RST for previous connection. This is also normal.

Is the SSH connection actually working or not?

julxu Thu, 09/30/2010 - 22:09
User Badges:


great thanks for the quick reply.

actually ssh is not working. if I say the local machine is A1, and outside machine is B1, than I do "ssh B1" form A1. it is frezened.

on A1, I can see the traffic A1 send to B1. but on B1, I can see traffic on both direction. so I guess, it is firewall dropped packet. but why?

Many Regards


Jennifer Halim Thu, 09/30/2010 - 22:14
User Badges:
  • Cisco Employee,

Can you telnet on port 22 from DOS prompt?

If you are getting a cursor, that means the connection is established.

You can also check: "sh conn | i ", after trying to establish the connection.

Last test is to perform packet capture on both interfaces to see where the packet is dropping.

julxu Wed, 10/06/2010 - 04:09
User Badges:

when I do telnet machine 3186, on firewall I get:

#show conn | i :3186

TCP outside inside, idle 0:00:00 byte flags saA

#show conn | i

TCP outside inside, idle 0:00:06, byte flags saA

#show conn | i

#show conn | i

for packet trace, on the (outside box) I can see both traffic, on (inside traffic) I can not see traffic.

is there any implicit rule cause this problem? I do not have problem with ping.


This Discussion