Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ssh connection is reseted


ssh connection goes from server1 to server2, between servers is  IPSec tunnel ASA1- ASA2

But connection is reseted, i have tis log message on ASA1

%PIX|ASA-2-106001: Inbound TCP connection denied from  IP_address/port to IP_address/port flags tcp_flags on interface  interface_name

flag is SYN

what should be a reason of reset ssh?

access-list contains ssh between nodes, so reason can not be in access-list

ASA1 has ver 8.1.2


New Member

Re: ssh connection is reseted

Peter, can you share the configuration of the both ASA's? That will help in figuring why the ASA denies/drops the SYN packet from your ssh connection.


Cisco Employee

Re: ssh connection is reseted

You can check if you have command "service resetinbound" or "outbound" in your config.

An IPS module on the ASA could also send the RST.

I hope it helps.


New Member

Re: ssh connection is reseted

ASA 5520 supports ASDM management which is GUI based tool. This provides packet tracer tool

where you can define source IP, Destination IP, source Interface, Source Port, and Destination Port. This will help you to identify where exactly problem you have. The problem appears to be in reverse NAT or security policy. This would be more clarified by information shared in document

%PIX|ASA-2-106001: Inbound TCP connection denied from IP_address/port 
to IP_address/port flags tcp_flags on interface interface_name


This is a connection-related message. This message occurs when an attempt to connect to an inside address is denied by the security policy that is defined for the specified traffic type. Possible tcp_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the security appliance, and it was dropped. The tcp_flags in this packet are FIN and ACK.

The tcp_flags are as follows:

  • ACK—The acknowledgment number was received.

  • FIN—Data was sent.

  • PSH—The receiver passed data to the application.

  • RST—The connection was reset.

  • SYN—Sequence numbers were synchronized to start a connection.

  • URG—The urgent pointer was declared valid.

There are many reasons for static translation to fail on the PIX/ASA. But, a common reason is if the demilitarized zone (DMZ) interface is configured with the same security level (0) as the outside interface.

In order to resolve this issue, assign a different security level to all interfaces

Refer to Configuring Interface Parameters for more information.

This error message also appears if an external device sends an IDENT packet to the internal client, which is dropped by the PIX Firewall. Refer to PIX Performance Issues Caused by IDENT Protocol for more information