ASA5550 TCP Reset Error

ITtech2010ITtech2010 Member Posts: 92 ■■■□□□□□□□
All,

I am trying to troubleshoot an issue one of our subscribers accessing our replay server in our core network. I can't figure out why they are not able to route back.

Anyone have an idea of what's going on?

Sep 10 2012 11:22:35: %ASA-6-106015: Deny TCP (no connection) from 12.182.174.2/52386 to 173.252.142.118/41002 flags RST on interface outside39
Sep 10 2012 11:22:35: %ASA-6-302013: Built inbound TCP connection 631177438 for outside39:12.182.174.2/52387 (12.182.174.2/52387) to inside:10.53.9.96/41002 (173.252.142.118/41002)
Sep 10 2012 11:22:35: %ASA-6-302014: Teardown TCP connection 631177438 for outside39:12.182.174.2/52387 to inside:10.53.9.96/41002 duration 0:00:00 bytes 0 TCP Reset-O
Sep 10 2012 11:22:36: %ASA-6-106015: Deny TCP (no connection) from 12.182.174.2/52387 to 173.252.142.118/41002 flags RST on interface outside39
Sep 10 2012 11:22:36: %ASA-6-302013: Built inbound TCP connection 631177457 for outside39:12.182.174.2/52388 (12.182.174.2/5238icon_cool.gif to inside:10.53.9.96/41002 (173.252.142.118/41002)
Sep 10 2012 11:22:36: %ASA-6-302014: Teardown TCP connection 631177457 for outside39:12.182.174.2/52388 to inside:10.53.9.96/41002 duration 0:00:00 bytes 0 TCP Reset-O
Sep 10 2012 11:22:37: %ASA-6-106015: Deny TCP (no connection) from 12.182.174.2/52388 to 173.252.142.118/41002 flags RST on interface outside39
Sep 10 2012 11:22:37: %ASA-6-302013: Built inbound TCP connection 631177489 for outside39:12.182.174.2/52390 (12.182.174.2/52390) to inside:10.53.9.96/41002 (173.252.142.118/41002)

******# sh run | in Client
object-group network Client
access-list outside_in39 extended permit tcp object-group Client object-group dds_ips object-group dds_ports
access-list outside_in39 extended permit tcp object-group Client object-group bfd_ips object-group bfd_ports

*********# sh run | in 12.182
network-object 12.182.174.0 255.255.255.0
route outside39 12.182.174.0 255.255.255.0 192.168.19.13 1

Comments

  • vishaw1986vishaw1986 Member Posts: 40 ■■□□□□□□□□
    the tcp connection is denied on the outside interface . Check your policy for the traffic coming from outside to inside.

    Paste your object group configuration
  • al3kt.R***al3kt.R*** Member Posts: 118
    Try "sysopt connection timewait" in ASA config :)

    reference: networking-forum.com - View topic - Deny tcp (no connection)
    "Tigranes: Good heavens! Mardonius, what kind of men have brought us to fight against? Men who do not compete for possessions, but for honour."--- Herodotus, The Histories
    "Nipson anomemata me monan opsin"--- Gregory of Nazianzus
    "Bruce Schneier's secure handshake is so strong, you won't be able to exchange keys with anyone else for days."--- Bruce Schneier Facts
  • f0rgiv3nf0rgiv3n Member Posts: 598 ■■■■□□□□□□
    vishaw1986 wrote: »
    the tcp connection is denied on the outside interface . Check your policy for the traffic coming from outside to inside.

    Paste your object group configuration

    That's weird, I've never come across that but I've seen that error many-a-times... it could have been NAT not configured correctly or ACLs, or even the firewall's "inspect protocol".

    Al3kt.R... do you know of any examples of what application/protocol would need the "two-way ack" to end the conversation?
Sign In or Register to comment.