05-08-2014 02:41 PM - edited 03-11-2019 09:10 PM
Hi Everyone,
USer is trying to access a server.
HE goes via
USer PC -----------ASA1------------------Lan network ------------ASA2-----Lan network---------Server
PC IP 172.16.90.20
Server IP 172.20.251.8
%ASA-6-302013: Built inbound TCP connection 390737788 for dmz:172.16.90.20/49322 (172.16.90.20/49322) to G:172.20.251.8/443 (172.20.251.8/443)
%ASA-1-106021: Deny TCP reverse path check from 172.20.251.8 to 172.16.90.20 on interface R
Routing on ASA1
route G 172.16.0.0 255.240.0.0 172.16.100.200
ASA2 has logs
%ASA-6-302013: Built outbound TCP connection 150409110 for R:172.20.251.8/443 (172.20.251.8/443) to G:172.16.90.20/49322 (172.16.90.20/49322) |
May 07 2014 21:45:58: %ASA-6-302014: Teardown TCP connection 150409110 for R:172.20.251.8/443 to G:172.16.90.20/49322 duration 0:00:30 bytes 0 SYN Timeout |
Routing on ASA2
route R 172.20.251.0 255.255.255.0 172.24.100.200
How can i fix this issue?
To me seems routing issue?
Regards
MAhesh
Solved! Go to Solution.
05-12-2014 05:21 AM
Ok, looking closer I see the return traffic is being denied becasue it comes in via interface R:
Deny TCP reverse path check from 172.20.251.8 to 172.16.90.20 on interface R
But your routing says that network should be reached via interface G:
route G 172.16.0.0 255.240.0.0 172.16.100.200
That is asymmetric routing and is not supported by the ASA.
05-08-2014 10:03 PM
Hello Mahesh,
The SYN timeout gets logged because of a forced connection termination after 30 seconds that occurs after the three-way handshake completion. This issue usually occurs if the server fails to respond to a connection request, and, in most cases, is not related to the configuration on PIX/ASA.
Check the default gateway of your server.
HTH
05-10-2014 06:03 PM
Hi Poonam,
Server is configured correctly with gateway.As users connected behind ASA2 has no issues.
Regards
Mahesh
05-11-2014 12:01 PM
Mahesh,
Is NAT setup on ASA1? The 101021 syslog message you are getting there could indicate your NAT rules are asymmetric.
05-11-2014 04:29 PM
Hi Marvin,
There is no NAT on ASA1 and also on ASA2.
Regards
MAhesh
05-12-2014 05:21 AM
Ok, looking closer I see the return traffic is being denied becasue it comes in via interface R:
Deny TCP reverse path check from 172.20.251.8 to 172.16.90.20 on interface R
But your routing says that network should be reached via interface G:
route G 172.16.0.0 255.240.0.0 172.16.100.200
That is asymmetric routing and is not supported by the ASA.
05-13-2014 01:43 PM
Hi Marvin,
IT was asymmetric routing issue that has been fixed.
Traffic flow was like this
user ----DMZ_int----ASA1----G_int---------------G_int----------ASA2-------R_int---server
On ASA1 it was coming back on R_int that was due to asymmetric routing.
I fixed the static routing on switch where server is connected to point to int_R for return traffic and that fixed the issue.
Regards
MAhesh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: