cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12734
Views
5
Helpful
4
Replies

Need assistance with ASA 5510 denying TCP connections

sdns_swrmc_lan
Level 1
Level 1

We are implementing an ASA 5510 firewall with DMZ.  Our UDP packets are able to get outside the firewall, but our TCP packets are being denied because of no connection.  I've attached the config file and log file.  Any assistance is appreciated.                  

4 Replies 4

Hi Bro

I had a look at your config, and I have a strong feeling, you’re not giving a complete picture of your situation. Anyhow, you have asymmetric routing happening in your LAN. Asymmetric routing means the request of the packets and the replies of the same packets take different routing directions (not through the firewall).

Lets take this message for example;

6|Aug 15 2012|18:50:37|106015|172.16.11.75|2758|69.43.106.190|443|Deny TCP (no connection) from 172.16.11.75/2758 to 69.43.106.190/443 flags RST on interface INSIDE

The Firewall reset this connection because it saw 172.16.11.75 wanting to reply to 69.43.106.190. The reason for this is because the Firewall never saw a request from 172.16.11.75 to 69.43.106.190, in the first place. There should always be a request and then a reply, as in SYN, SYN-ACK and ACK.

Basically, the Firewall discarded this TCP packet because it has no associated connection in the connection table (show conn). The Firewall looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is no existing connection, the Firewall discards the packet.

You could furnish a complete diagram here and a COMPLETE FIREWALL CONFIG HERE, so that the others could assist you, as well.

Warm regards,
Ramraj Sivagnanam Sivajanam

nkarthikeyan
Level 7
Level 7

Hi Paul,

The error 106015 will comes in to picture when your first packet of your traffic is not a SYN packet. So fi rewall denies that stating there is no connection to establish. So there is a problem in the traffic which the host is generating. So ASA looks for a SYN packet when it requires to build a connection.

So the traffic sent by the specific hosts in your network is not proper which doesn't carry a SYN packet such as

Aug 15 2012|18:50:36|106015|172.16.10.137|1568|64.212.100.99|80|Deny TCP (no connection) from 172.16.10.137/1568 to 64.212.100.99/80 flags RST  on interface INSIDE

But the same time there are other successful TCP connections established successfully in you network.

Aug 15 2012|18:50:36|302013|69.43.106.190|443|172.16.10.152|3977|Built outbound TCP connection 139054 for OUTSIDE:69.43.106.190/443 (69.43.106.190/443) to INSIDE:172.16.10.152/3977 (172.16.10.152/3977)

So all you need is to check the hosts which is generating such traffic and sort out this problem.

Please do rate if the given information helps.

By

Karthik

montasersawi
Level 1
Level 1

I have the same problem with Lync 2013, I permit Lync TCP and UDP ports and when I try to make any Desktop sharing the TCP packets is denied because of no connection. please help guys.

Lync is in differnet Vlan from the users Vlan.

 

any advices will be appreciated.

 

Thanks

Montaser,

Hi Montasesawi, 

did you find a solution for the Lync environment for this?

as i am facing the same issue.

thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: