Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1540
Views
0
Helpful
1
Replies

deny tcp (no connection)

hedyeh razazan
Level 1
Level 1

‎02-26-2012 03:57 AM - edited ‎03-11-2019 03:35 PM

Hi,

in the FWSM we have too many "deny tcp (no connection)" log and tcp connections disconnect randomly.

some log events:

Deny TCP (no connection) from 10.4.2.1/80 to 10.5.46.2/1395 flags ACK on interface inside.

Labels:
0 Helpful
1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

‎02-26-2012 10:34 AM

Hello Hedhyeh,

This is a routing issue, this is known as a stateful tcp firewall issue.

The problem is that the firewall is receiving a ack packet on the inside interface of a connection where he has not received a SYN packet, so of course he will drop it!

You have two options:

1- check why the routing issue is happening, get into the real root of the issue

2- the easyest way to solve it, configured a tcp state bypass policie to tell the ASA: Do not drop a tcp packet if the tcp 3 way handshake is not used.

Hope this helps.

Julio

Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card