Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA - Deny TCP (no connection)


Scratching my head with this problem.

Email notifications are not getting generated from the inside network.

Quick Topology:

Inside -> FWSM -> 6500 (NAT) -> 2nd Level ASA -> 1st Level ASA (PAT)

The SMTP access is allowed throughout. I can see Build/Teardown on FWSM and 2nd Level ASA. However, on 1st Level ASA I can see 'Deny TCP (no connection)..RST Flag' in the logs of 1st Level ASA for the return traffic.

Going through forums etc, I believe there are mainly two reasons for this error 1) Asymmetric routing 2) SMTP inspection

In my case, neither Asymmetric routing nor SMTP inspection is occuring. Still I get the above error.

Please assist.


New Member

Re: ASA - Deny TCP (no connection)

Please assist.


Cisco Employee

Re: ASA - Deny TCP (no connection)

Deny TCP (no connection) is a statement that a packet arrived on the firewall for a connection that doesn't exist - the connection may never existed or recently torn down. To determine what may have caused this situation, choose a single connection (source/destination IP address) and configure a packet capture on the ingress and egress interfaces as described at this link (be sure to use the interface specific/NAT IP addresses):

Also, to supplement this packet capture, enable the following:

logging buffered debugging

logging timestamp

logging buffer-size 512000

Run an example test (matching the configured packet capture) and gather all relevant logs from the time of the traffic. This syslog output as well as the packet captures should provide you an insight as to what the issue is.

If SMTP inspection is enabled, you may want to confirm whether the SMTP server sends a TCP Reset. Also, confirm if any SMTP commands as sent between the client and server are modified to X's. Sometimes, changing the available SMTP commands can result in a reset from the SMTP Server with a 500 ERROR. More information about 'inspect esmtp' is available at the link below:

This 'RST Flag' Deny TCP (no connection) may be just a final errant packet sent from the host after the connection was torn down by the ASA or the other end. A packet capture and syslogs of the flow will greatly assist diagnosing the issue.

Hope this helps.

New Member

Re: ASA - Deny TCP (no connection)


It is a Production ASA. Would logging buffered debugging degrade the performance at all.


Cisco Employee

Re: ASA - Deny TCP (no connection)

'logging buffered debugging' rarely degrades performance on a production box in my experience. However, do NOT enable 'logging traps debugging' or 'logging console debugging' if your ASA is heavily utilized. This could impact performance.

New Member

Re: ASA - Deny TCP (no connection)


I have pasted below the capture and debug log from ASA. I can see that mail server initiated a 'sackOK' after the beginning TCP handshake to which ASA responded with RST. What is 'sackOK' used for.


SMTP Sender Sender = (NAT'ed IP)

ASA Outside Interface =


19: 17:20:26.624982 > S

1157537987:1157537987(0) win 65535

20: 17:20:26.625166 > S

1916008998:1916008998(0) win 65535

21: 17:20:26.868882 > S

2012653347:2012653347(0) ack 1916008999 win 5840

22: 17:20:26.868912 > S

3195801731:3195801731(0) ack 1157537988 win 5840

23: 17:20:26.869660 > . ack

3195801732 win 65535

24: 17:20:26.869690 > . ack

2012653348 win 65535

25: 17:20:27.116311 > S

2007441486:2007441486(0) win 5840

26: 17:20:27.116372 > R 0:0(0) ack

2007441487 win 5840

27: 17:20:27.363155 > P

2012653348:2012653456(108) ack 1916008999 win 5840

28: 17:20:27.363170 > P

3195801732:3195801840(108) ack 1157537988 win 5840

29: 17:20:27.363491 > F

2012653456:2012653456(0) ack 1916008999 win 5840

30: 17:20:27.363506 > F

3195801840:3195801840(0) ack 1157537988 win 5840

31: 17:20:27.363888 > . ack

3195801841 win 65427

32: 17:20:27.363903 > . ack

2012653457 win 65427

33: 17:20:27.364620 > P

1157537988:1157538010(22) ack 3195801841 win 65427

34: 17:20:27.364650 > P

1916008999:1916009021(22) ack 2012653457 win 65427

35: 17:20:27.373744 > FP

1157538010:1157538082(72) ack 3195801841 win 65427

36: 17:20:27.373759 > FP

1916009021:1916009093(72) ack 2012653457 win 65427

Debug Log:

Oct 2 2009 17:19:30: %ASA-6-302013: Built outbound TCP connection

242317791 for OUTSIDE-INTERFACE: ( to


Oct 2 2009 17:19:31: %ASA-6-302014: Teardown TCP connection 242317791 for


duration 0:00:00 bytes 130 TCP FINs

Oct 2 2009 17:20:26: %ASA-6-302013: Built outbound TCP connection

242319817 for OUTSIDE-INTERFACE: ( to


Oct 2 2009 17:20:27: %ASA-6-302014: Teardown TCP connection 242319817 for


duration 0:00:00 bytes 202 TCP FINs

Oct 2 2009 17:20:27: %ASA-6-106015: Deny TCP (no connection) from to flags RST on interface



Cisco Employee

Re: ASA - Deny TCP (no connection)

It gets extremely complicated to troubleshoot any one flow when you have multiple firewalls in the path.

With that said, these deny tcp no conn syslog is only for a reset packet, which is ok to see. Once the conn gets torn down, reset packets for the same flow arrives which does not get passed on to the other interface for the reason no connection in the table.

Pls. see if you can eliminate one firewall at a time by placing the client after one firewall at a time.