Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Packet dropping - confused, help - new to ASA

Hi All,

My internal networks are subnetted down into variable length networks.

The inside interface is sat on with a gateway to the rest of the internal network via a cisco 3750 on

I have NAT exempted the internal traffic, and allowed traffic across all internal ports on the ASA, but we still keep getting the following message,

6 Dec 02 2008 15:41:26 106015 Deny TCP (no connection) from to flags RST on interface inside

Very very frustrating.

It is as though the ASA is limited to talking to 1 subnet only because the packet did not originate from the ASA itsel and it is considering this a breach of the normal TCP SYN/ACK rules.


sh run attached


Re: Packet dropping - confused, help - new to ASA

If I read that right, then the source and destination of that packet are both on the inside of the ASA. Is it possible that the ASA is seeing only half of the 2-way conversation? A stateful firewall will never like that. For that reason it would be best to use the internal router as default gateway for all devices on the ASA's subnet, rather than use the ASA itself.

You can "bounce" traffic off the ASA if you have "same-security-traffic permit intra-interface" but the ASA must see the full connection. This can be awkward to achieve.

Sometimes 106015 messages happen just because the ASA has torn down the connection before one of the hosts has, so this could refer to a connection which is finished as far as the ASA is concerned.

So, set the gateway of to be the router not the ASA.

Community Member

Re: Packet dropping - confused, help - new to ASA

thanks Grant,

The source/destination are on the correct interfaces with the correct security levels - 0 and 100, the only weirdness is the 192.x.x.x and 10.x.x.x - the 192.x.x.x is a BT router on and ADSL circuit, it is doing the NAT for the external ASA interface to a routable address.

I agree with you, the ASA is tearing down the session because it is not seeing the full SYN/ACK - RST sequence and assuming something is amiss. Works fine if there is a single subnet behind the ASA, but not multiple nets.

I will try again using the 3750 on the LAN as the gateway for the ASA, which gives me another unique problem I will not bore you with.....

CreatePlease to create content