Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Deny TCP (no connection) from 198.241.159.x/443 to 10.x.x.x/1650 flags PSH ACK on interface xyz

Hi All,

i am getting below log on firewall due to this my virtual application on public internet is working very slow.

106015          198.241.159.x 443          10.x.x.x 1650          Deny TCP (no connection) from 198.241.159.x/443 to 10.x.x.x/1650 flags PSH ACK  on interface xyz

i have already try with tcp-state bypass.

asa(config)# access-list vitest permit tcp 10.x.x.0 255.255.255.0$

asa(config)# class

asa(config)# class-map vimap

asa(config-cmap)# match access-list vitest

asa(config-cmap)# exit

asa(config)# policy-map global_policy

asa(config-pmap)# class vimap

asa(config-pmap-c)# set connection advanced-options tcp-state-bypass

asa(config-pmap-c)#

i have already go through below link

https://supportforums.cisco.com/thread/2106310

https://supportforums.cisco.com/thread/2125757

3 REPLIES
Red

Deny TCP (no connection) from 198.241.159.x/443 to 10.x.x.x/1650

Hi Prashant,

Normally this message means that a PUSH ACK packet was sent on this connection between 198.241.159.x/443 to 10.x.x.x/1650, was sent after the connection has been closed. So the firewall dropped this packet, since it could not find any existing connection between these two hosts.

You might just need to provide a bit more information on thi. I would suggest captures would be the best possible step forward.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Deny TCP (no connection) from 198.241.159.x/443 to 10.x.x.x/1650

Thanks i will try with capture.

New Member

Disable TCP ranomizing

Disable TCP ranomizing sequence number as well. 

 

  set connection random-sequence-number disable

 

939
Views
3
Helpful
3
Replies
CreatePlease login to create content