Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5500 SSL VPN Client alway return a SYN ACK error

I'm trying to setup my ASA 5510 to be able to have multiple user from the outside interface to access a terminal server in my DMZ.

I'm able to connect to the ASA using the SSL Client but when I want to access the terminal server I receive this message: Deny TCP (no connection) from 10.29.250.210/3389 to 10.19.10.100/1197 flags SYN ACK on interface inside.

I'm trying to resolve my problem but I don't know where to start... is this a nat rules problem ... a acl rule problem?

Thanks for your help

Sebastian.

3 REPLIES
New Member

Re: ASA 5500 SSL VPN Client alway return a SYN ACK error

This error is saying that the PIX denied the packet because it does not have a connection in its state table for this traffic, but yet it is seeing TCP flags indicating a response to the SYN process of a three way handshake. It is a security feature.

I have seen this error once before for outbound HTTP traffic and resolved it by disabling outbound http inspection.

Are you seeing the packet from your computer to the TS server?

New Member

Re: ASA 5500 SSL VPN Client alway return a SYN ACK error

Yes the packet is going to the terminal server. Here is the result of an ethereal capture:

SRC 10.19.10.100 DST 10.29.250.210 TCP 1064 > 3389 [SYN] Seq=0 Len=0 MSS 1260

SRC 10.19.10.100 DST 10.29.250.210 TCP 1064 > 3389 [RST, ACK] Seq=2 Ack=1 Win 16384 Len=0

By the way thanks for your help

Sebastian

New Member

Re: ASA 5500 SSL VPN Client alway return a SYN ACK error

Does someone ever experience a problem like this one?

Sebastian

175
Views
0
Helpful
3
Replies
CreatePlease login to create content