Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA blocking TCP Traffic...why?


I'm having a problem with my ASA dropping TCP connections. I have a Websense box going to an ASA, then out to a Nokia/Checkpoint FW, and then to the outside. When I try pinging the outside, it works fine. However, as soon as I try any TCP traffic, the ASA blocks it. I checked the Checkpoint logs and everything is allowed to go through, but once it hits the ASA, it drops. I have all my interfaces set to allow all on the ASA, so I really can't see why it's doing this...

I attached a log file from my Websense box trying to access the internet. Anyone's help appreciated!


6 Oct 24 2007 11:18:42 106015 WEBSENSE Deny TCP (no connection) from WEBSENSE/1118 to flags RST on interface DMZ

Community Member

Re: ASA blocking TCP Traffic...why?

hi darkid123.

as described in the syslog-reference for ASAs it looks like asymetric routing!?


Error Message %PIX|ASA-6-106015: Deny TCP (no connection) from IP_address/port to

IP_address/port flags tcp_flags on interface interface_name.

Explanation The security appliance discarded a TCP packet that has no associated connection in the security appliance connection table. The security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the security appliance discards the packet.

Recommended Action None required unless the security appliance receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent.


Re: ASA blocking TCP Traffic...why?

Websense is droping your Yahoo website. Open

- Dharmesh

CreatePlease to create content