Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

: Deny TCP reverse path check on interface

 

Hi Everyone,

 

USer is trying to access a server.

HE goes via

 

USer PC  -----------ASA1------------------Lan network ------------ASA2-----Lan network---------Server

PC IP 172.16.90.20

Server IP 172.20.251.8

 

%ASA-6-302013: Built inbound TCP connection 390737788 for dmz:172.16.90.20/49322 (172.16.90.20/49322) to G:172.20.251.8/443 (172.20.251.8/443)

%ASA-1-106021: Deny TCP reverse path check from 172.20.251.8 to 172.16.90.20 on interface R

 

Routing on ASA1

route G 172.16.0.0 255.240.0.0 172.16.100.200

 

ASA2 has logs

 %ASA-6-302013: Built outbound TCP connection 150409110 for R:172.20.251.8/443 (172.20.251.8/443) to G:172.16.90.20/49322 (172.16.90.20/49322)

May 07 2014 21:45:58: %ASA-6-302014: Teardown TCP connection 150409110 for R:172.20.251.8/443 to G:172.16.90.20/49322 duration 0:00:30 bytes 0 SYN Timeout

 

Routing on ASA2

route R 172.20.251.0 255.255.255.0 172.24.100.200

 

How can i fix this issue?

To me seems routing issue?

 

Regards

MAhesh

 

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Ok, looking closer I see the

Ok, looking closer I see the return traffic is being denied becasue it comes in via interface R:

     Deny TCP reverse path check from 172.20.251.8 to 172.16.90.20 on interface R

But your routing says that network should be reached via interface G:

     route G 172.16.0.0 255.240.0.0 172.16.100.200

That is asymmetric routing and is not supported by the ASA.

6 REPLIES
Silver

Hello Mahesh,The SYN timeout

Hello Mahesh,

The SYN timeout gets logged because of a forced connection termination after 30 seconds that occurs after the three-way handshake completion. This issue usually occurs if the server fails to respond to a connection request, and, in most cases, is not related to the configuration on PIX/ASA.

Check the default gateway of your server.

 

HTH

 

New Member

Hi Poonam, Server is

Hi Poonam,

 

Server is configured correctly with gateway.As users connected behind ASA2 has no issues.

 

Regards

Mahesh

Hall of Fame Super Silver

Mahesh,Is NAT setup on ASA1?

Mahesh,

Is NAT setup on ASA1? The 101021 syslog message you are getting there could indicate your NAT rules are asymmetric.

New Member

 Hi Marvin, There is no NAT

 

Hi Marvin,

 

There is no NAT on ASA1 and also on ASA2.

 

Regards

MAhesh

Hall of Fame Super Silver

Ok, looking closer I see the

Ok, looking closer I see the return traffic is being denied becasue it comes in via interface R:

     Deny TCP reverse path check from 172.20.251.8 to 172.16.90.20 on interface R

But your routing says that network should be reached via interface G:

     route G 172.16.0.0 255.240.0.0 172.16.100.200

That is asymmetric routing and is not supported by the ASA.

New Member

 Hi Marvin, IT was asymmetric

 

Hi Marvin,

 

IT was asymmetric routing issue that has been fixed.

Traffic flow was like this

 

user ----DMZ_int----ASA1----G_int---------------G_int----------ASA2-------R_int---server

On ASA1 it was coming back on R_int that was due to asymmetric routing.

I fixed the static routing on switch where server is connected to point to int_R for return traffic and that fixed the issue.

 

Regards

 

MAhesh

663
Views
0
Helpful
6
Replies
CreatePlease to create content