Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

no associated connection in the security appliance table

Hi,

When I try to ssh to a certain host my connection gets denied for some reason.

I get the following error message:

6 Aug 05 2008 14:26:37 106015 192.168.1.31 192.168.200.2 Deny TCP (no connection) from 192.168.1.31/46587 to 192.168.200.2/22 flags RST on interface inside

The security appliance discarded a TCP packet that has no associated connection in the security appliance table

Any ideas?

6 REPLIES

Re: no associated connection in the security appliance table

Check you access-lists

New Member

Re: no associated connection in the security appliance table

I'm not sure the access list are at fault here. Could you be a bit more specific?

Re: no associated connection in the security appliance table

I have seen this in two instances:-

1) A acl on the inside interface blocking ssh access to a host beyond the pix/asa - hence the rst.

2) You are actually trying to ssh to the pix/asa and you have not configured ssh access on the inside interface, the pix/asa will send a rst and not just drop.

I am presuming that it's not option 2, so I would double check acl's.

HTH>

Re: no associated connection in the security appliance table

can u put ur ACL and nat config

New Member

Re: no associated connection in the security appliance table

Hi,

I discovered that it doesn't matter what service I connect to. I have an ftp server on the target host and I get the same error message. Any help would be appreciated.

Re: no associated connection in the security appliance table

since you change the NAT from the inside to the DMZ - did you perform a "clear xlate" ?

Are the relevant services on the machine actually running - have you performed a packet capture on the reomte machine to see if the requests are actually hitting it?

Do you see any hit counters on the acl:-

access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0

Are you able to ping from 192.168.1.x to 192.168.200.x

????

1111
Views
0
Helpful
6
Replies