no associated connection in the security appliance table

robbhanMid · ‎08-05-2008

Hi,

When I try to ssh to a certain host my connection gets denied for some reason.

I get the following error message:

6 Aug 05 2008 14:26:37 106015 192.168.1.31 192.168.200.2 Deny TCP (no connection) from 192.168.1.31/46587 to 192.168.200.2/22 flags RST on interface inside

The security appliance discarded a TCP packet that has no associated connection in the security appliance table

Any ideas?

andrew.prince · ‎08-05-2008

Check you access-lists

robbhanMid · ‎08-05-2008

I'm not sure the access list are at fault here. Could you be a bit more specific?

andrew.prince · ‎08-05-2008

I have seen this in two instances:-

1) A acl on the inside interface blocking ssh access to a host beyond the pix/asa - hence the rst.

2) You are actually trying to ssh to the pix/asa and you have not configured ssh access on the inside interface, the pix/asa will send a rst and not just drop.

I am presuming that it's not option 2, so I would double check acl's.

HTH>

Marwan ALshawi · ‎08-05-2008

can u put ur ACL and nat config

robbhanMid · ‎08-05-2008

Hi,

I discovered that it doesn't matter what service I connect to. I have an ftp server on the target host and I get the same error message. Any help would be appreciated.

andrew.prince · ‎08-06-2008

since you change the NAT from the inside to the DMZ - did you perform a "clear xlate" ?

Are the relevant services on the machine actually running - have you performed a packet capture on the reomte machine to see if the requests are actually hitting it?

Do you see any hit counters on the acl:-

access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0

Are you able to ping from 192.168.1.x to 192.168.200.x

????