Pix 515 running OS7.04 connection problems

jercollins · ‎04-04-2006

I am getting Denys with a no connection error listed. The error lines are (the IPs have been changed to protect the innocent):

Apr 04 2006 11:47:19 nybetbpc001-p01 : %PIX-6-106015: Deny TCP (no connection) from 110.x.x.36/9488 to 110.x.x.114/2381 flags SYN ACK on

interface outside

Apr 04 2006 11:47:22 nybetbpc001-p01 : %PIX-6-106015: Deny TCP (no connection) from 110.x.x.36/9488 to 110.x.x.114/2381 flags ACK on inte

rface outside

Apr 04 2006 11:47:22 nybetbpc001-p01 : %PIX-6-106015: Deny TCP (no connection) from 110.x1.x.36/9488 to 110.x.x.114/2381 flags SYN ACK on

interface outside

Apr 04 2006 11:47:28 nybetbpc001-p01 : %PIX-6-106015: Deny TCP (no connection) from 110.x.x.36/9488 to 110.x.x.114/2381 flags ACK on inte

rface outside

Apr 04 2006 11:47:28 nybetbpc001-p01 : %PIX-6-106015: Deny TCP (no connection) from 110.x.x.36/9488 to 110.x.x.114/2381 flags SYN ACK on

interface outside

I have added static statements and done all I can think of to clear this and allow the connects. I have opened up the acls to permit IP since this is an internal development device. Can anyone give me a line to follow?

Thanks,

Jerry

a-vazquez · ‎04-11-2006

This message is logged when the firewall discards a TCP packet that has no associated connection in the firewall unit's connection table. The firewall looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the firewall discards the packet.

In some instances if the connection timesout after a little bit but the application still thinks that its up then we can change the Default connection timeout through the PIX to something higher then the default of One hour.

davidecooper1967 · ‎04-13-2006

I believe there is a bug on this. Check out some earlier posts on similar issues.

I believe the bug ID is CSCef38784.

DC