Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Inbound TCP connection denied

Feb 27 2014 17:02:10: %ASA-2-106001: Inbound TCP connection denied from 192.168.211.56/3376 to 200.x.x.x/10000 flags RST on interface visitor

Feb 27 2014 17:02:04: %ASA-2-106001: Inbound TCP connection denied from 192.168.211.56/3376 to 200.x.x.x/10000 flags ACK on interface visitor

Feb 27 2014 17:01:58: %ASA-2-106001: Inbound TCP connection denied from 192.168.211.56/3376 to 200.x.x.x/10000 flags SYN on interface visitor

Hi Everyone,

I was testing  new VPN  IPSEC Remote connection from our visitor network and got the logs above.

Is these Logs indicate that ASA sees no route from interface name visitor from source 192.168 to 200.x.x?

Remote VPN works fine from the Internet.

Regards

MAhesh

Message was edited by: mahesh parmar

2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

Inbound TCP connection denied

Hi Mahesh,

Where is the VPN device located to which the "visitor" user is connecting to?

Is it possibly the same ASA that is showing these logs? That would possibly mean that you are trying to connect to the external interface of the ASA which would be impossible other than from behind that external interface.

Might need more description of the situation and/or see some configurations from the ASA to determine what the sitaution is.

- Jouni

Hall of Fame Super Silver

Inbound TCP connection denied

Mahesh

In your original post you ask it if might be an issue that the ASA does not see a route for the destination. In my experience when the ASA does not have a route it will have that in the error message. So I do not believe that this issue is a routing issue. I suspect that it is more likely an issue of security level between the interface where you are connected and the interface through which you need to go. Can you identify the security level of the interfaces involved on ASA1? And are any access lists configured on the ASA for those interfaces?

HTH

Rick

5 REPLIES
Super Bronze

Inbound TCP connection denied

Hi Mahesh,

Where is the VPN device located to which the "visitor" user is connecting to?

Is it possibly the same ASA that is showing these logs? That would possibly mean that you are trying to connect to the external interface of the ASA which would be impossible other than from behind that external interface.

Might need more description of the situation and/or see some configurations from the ASA to determine what the sitaution is.

- Jouni

New Member

Inbound TCP connection denied

Hi Jouni,

VPN client works fine from internet.

Setup is

--------ASA1 Internet---------------ASA2  VPN

Internet ASA1 has interface called visitor where my pc is connected and i am trying to VPN to corp network.

This never worked before so i am incharge to make this happen.

I am trying to reach IP 200.x  which is of VPN ASAs outside interface.

Regards

MAhesh

Hall of Fame Super Silver

Inbound TCP connection denied

Mahesh

In your original post you ask it if might be an issue that the ASA does not see a route for the destination. In my experience when the ASA does not have a route it will have that in the error message. So I do not believe that this issue is a routing issue. I suspect that it is more likely an issue of security level between the interface where you are connected and the interface through which you need to go. Can you identify the security level of the interfaces involved on ASA1? And are any access lists configured on the ASA for those interfaces?

HTH

Rick

New Member

Inbound TCP connection denied

Hi Rick,

Nice to see reply from you.

ASA1 interface visitor where PC is connected  has security level 5.

when user connects from internet traffic flows via ASA1 interface outside to interface VPN.

ASA1 interface from which i need to reach ASA2 is VPN and has security level of 5

interface visitor has acl from any to any

Regards

MAhesh

New Member

Re: Inbound TCP connection denied


Hi Rick,

IT was not routing issue both interfaces of ASA1 (Internet)  had same security level.

Changing the security level of one interface fix the problem.

Regards

MAhesh

Message was edited by: mahesh parmar

393
Views
0
Helpful
5
Replies