cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12821
Views
0
Helpful
6
Replies

: Deny TCP reverse path check on interface

mahesh18
Level 6
Level 6

 

Hi Everyone,

 

USer is trying to access a server.

HE goes via

 

USer PC  -----------ASA1------------------Lan network ------------ASA2-----Lan network---------Server

PC IP 172.16.90.20

Server IP 172.20.251.8

 

%ASA-6-302013: Built inbound TCP connection 390737788 for dmz:172.16.90.20/49322 (172.16.90.20/49322) to G:172.20.251.8/443 (172.20.251.8/443)

%ASA-1-106021: Deny TCP reverse path check from 172.20.251.8 to 172.16.90.20 on interface R

 

Routing on ASA1

route G 172.16.0.0 255.240.0.0 172.16.100.200

 

ASA2 has logs

 %ASA-6-302013: Built outbound TCP connection 150409110 for R:172.20.251.8/443 (172.20.251.8/443) to G:172.16.90.20/49322 (172.16.90.20/49322)

May 07 2014 21:45:58: %ASA-6-302014: Teardown TCP connection 150409110 for R:172.20.251.8/443 to G:172.16.90.20/49322 duration 0:00:30 bytes 0 SYN Timeout

 

Routing on ASA2

route R 172.20.251.0 255.255.255.0 172.24.100.200

 

How can i fix this issue?

To me seems routing issue?

 

Regards

MAhesh

 

1 Accepted Solution

Accepted Solutions

Ok, looking closer I see the return traffic is being denied becasue it comes in via interface R:

     Deny TCP reverse path check from 172.20.251.8 to 172.16.90.20 on interface R

But your routing says that network should be reached via interface G:

     route G 172.16.0.0 255.240.0.0 172.16.100.200

That is asymmetric routing and is not supported by the ASA.

View solution in original post

6 Replies 6

Poonam Garg
Level 3
Level 3

Hello Mahesh,

The SYN timeout gets logged because of a forced connection termination after 30 seconds that occurs after the three-way handshake completion. This issue usually occurs if the server fails to respond to a connection request, and, in most cases, is not related to the configuration on PIX/ASA.

Check the default gateway of your server.

 

HTH

 

Hi Poonam,

 

Server is configured correctly with gateway.As users connected behind ASA2 has no issues.

 

Regards

Mahesh

Marvin Rhoads
Hall of Fame
Hall of Fame

Mahesh,

Is NAT setup on ASA1? The 101021 syslog message you are getting there could indicate your NAT rules are asymmetric.

 

Hi Marvin,

 

There is no NAT on ASA1 and also on ASA2.

 

Regards

MAhesh

Ok, looking closer I see the return traffic is being denied becasue it comes in via interface R:

     Deny TCP reverse path check from 172.20.251.8 to 172.16.90.20 on interface R

But your routing says that network should be reached via interface G:

     route G 172.16.0.0 255.240.0.0 172.16.100.200

That is asymmetric routing and is not supported by the ASA.

 

Hi Marvin,

 

IT was asymmetric routing issue that has been fixed.

Traffic flow was like this

 

user ----DMZ_int----ASA1----G_int---------------G_int----------ASA2-------R_int---server

On ASA1 it was coming back on R_int that was due to asymmetric routing.

I fixed the static routing on switch where server is connected to point to int_R for return traffic and that fixed the issue.

 

Regards

 

MAhesh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: