Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site to Site VPN issue

This a little strange. We have a LAN 2 LAN VPN setup and I am getting a message from the ASA saying:

2|Aug 07 2008 08:39:59|106001: Inbound TCP connection denied from to xx.xx.x.162/23 flags SYN on interface inside

when we try to telnet to the device. They can telnet from their end to our system but I get that type of a message when ever I try anything other than a ping, traceroute gives me a similar error. I am getting hits on the ACL for the tunnel but the traffic is not passing.

And stranger yet is this is an outbound connection and I am getting an inbound connection error.

I also have other connections to this server that are working. I am a little perplexed.

Anyone have any ideas?


Re: Site to Site VPN issue

Are you sure that your NONAT access list on the ASA at your facility is permitting traffic from your local network to the remote network?

New Member

Re: Site to Site VPN issue

There is no NONAT acl instead we have a inside_nat0_outbound acl

And this one shows to be setup the same as the 12 LAN to LAN VPNs that are working.

Re: Site to Site VPN issue

Can you post the complete configuration of the ASA that does not work as well as one that does work so the community can review it?

Also, have you tried running the command

same-security-traffic permit intra-interface

New Member

Re: Site to Site VPN issue

The issue isn't that one of our devices doesn't work, rather one of 13 the LAN to LAN connections is having some issues. The other 12 LAN to LAN VPNs are working fine.

I attached the ASA config. The connection that is giving me issue is. outside_cryptomap_220

New Member

Re: Site to Site VPN issue

Here is a little more info. The device on the other end is a Watchguard FireBox. I can ping, and trace route(any thing ICMP) but anything TCP or UDP acts like there is no tunnel. I can kill the tunnel and a telnet will bring it up but then it acts like the same as if I try from an address that is not listed in the tunnel.

I remove the all the setting and purged all the ACLS and recreated it from my end to no avail. I am stumped.

Any of this make sense?

CreatePlease login to create content