Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA connection table.

Hi All,

I get the following error

%ASA-6-106015: Deny TCP (no connection) from coa-dun-web1-front/80 to sol-dun-hobbit1/50692 flags SYN ACK on interface internal-vlan-20

when I try to connect from sol-dun-hobbit1 to coa-dun-web1-front. Now, there is a slight problem in the topology here. This ASA has two sub-interfaces one of which connects to the "front-end IPs" of the web-boxes it is protecting and another to the back-end IPs. Both Front and Back networks are seperate vlans and terminate(gateway is the ASA) only on the ASA. The problem is, when I connect from sol-dun-hobbit (from an outside interface, here the interface is called management) the packet is transmitted out the asa on vlan 10 (on sub-interface = internal-10) and then the reply comes back on a different sub-interface = internal-20. I cannot do anything bout the packet coming in, Im trying to get the ASA to recognise that the reply is part of an earlier connection attempt, which the ASA doesnt seem to be doing.

Any ideas?

7 REPLIES
Cisco Employee

Re: ASA connection table.

The Sync never flowed in this direction and the firewall did not have the SYn entry in the table but the SYNACK tries to go through the firewall, this violates the stateful nature of firewall and thus you see this log

There is asymmetric routing thats happening and you need to correct that

New Member

Re: ASA connection table.

I do appreciate that its assymetric routing, at the moment, I have no way to make it symmetric. In checkpoints, you could stop anti-spoofing tests in similar situations. While this is not a spoofing problem, I am tring to find ways to make the ASA relate the connection attempt and reply.

Cisco Employee

Re: ASA connection table.

you have a very valid concern and therefore there has been a feature request CSCsj33201 filed to have tcp state check bypasses using MPF

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsj33201+&Submit=Search

rate the posts if it helps !

New Member

Re: ASA connection table.

thanks mate,

that explains a workaround for the problem, however, I donot understand the solution. I cant get any documentation for the "nailed" nat option. Is there any way you could help me out here?

New Member

Re: ASA connection table.

i think i got it ....

New Member

Re: ASA connection table.

False alarm, I couldnt get the nailed option to work.

for those intersted , I found this on cisco,

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/failover.html

Check section on Assymetric routing.

However, I couldnt use this either, I think that was because of license issues.

Anyway, I am now using just plain nat, to fool the webservers so that symmetric routing does take place. This is not ideal (symmetric routing is, but not the nat), however, Ive got no other solution right now.

Cisco Employee

Re: ASA connection table.

nailed option is to bypass security check b ut for that you need failover license to decrease the failver timeout -1

1420
Views
4
Helpful
7
Replies
CreatePlease to create content