ASA5550 TCP Reset Error
ITtech2010
Member Posts: 92 ■■■□□□□□□□
in CCNP
All,
I am trying to troubleshoot an issue one of our subscribers accessing our replay server in our core network. I can't figure out why they are not able to route back.
Anyone have an idea of what's going on?
Sep 10 2012 11:22:35: %ASA-6-106015: Deny TCP (no connection) from 12.182.174.2/52386 to 173.252.142.118/41002 flags RST on interface outside39
Sep 10 2012 11:22:35: %ASA-6-302013: Built inbound TCP connection 631177438 for outside39:12.182.174.2/52387 (12.182.174.2/52387) to inside:10.53.9.96/41002 (173.252.142.118/41002)
Sep 10 2012 11:22:35: %ASA-6-302014: Teardown TCP connection 631177438 for outside39:12.182.174.2/52387 to inside:10.53.9.96/41002 duration 0:00:00 bytes 0 TCP Reset-O
Sep 10 2012 11:22:36: %ASA-6-106015: Deny TCP (no connection) from 12.182.174.2/52387 to 173.252.142.118/41002 flags RST on interface outside39
Sep 10 2012 11:22:36: %ASA-6-302013: Built inbound TCP connection 631177457 for outside39:12.182.174.2/52388 (12.182.174.2/5238
to inside:10.53.9.96/41002 (173.252.142.118/41002)
Sep 10 2012 11:22:36: %ASA-6-302014: Teardown TCP connection 631177457 for outside39:12.182.174.2/52388 to inside:10.53.9.96/41002 duration 0:00:00 bytes 0 TCP Reset-O
Sep 10 2012 11:22:37: %ASA-6-106015: Deny TCP (no connection) from 12.182.174.2/52388 to 173.252.142.118/41002 flags RST on interface outside39
Sep 10 2012 11:22:37: %ASA-6-302013: Built inbound TCP connection 631177489 for outside39:12.182.174.2/52390 (12.182.174.2/52390) to inside:10.53.9.96/41002 (173.252.142.118/41002)
******# sh run | in Client
object-group network Client
access-list outside_in39 extended permit tcp object-group Client object-group dds_ips object-group dds_ports
access-list outside_in39 extended permit tcp object-group Client object-group bfd_ips object-group bfd_ports
*********# sh run | in 12.182
network-object 12.182.174.0 255.255.255.0
route outside39 12.182.174.0 255.255.255.0 192.168.19.13 1
I am trying to troubleshoot an issue one of our subscribers accessing our replay server in our core network. I can't figure out why they are not able to route back.
Anyone have an idea of what's going on?
Sep 10 2012 11:22:35: %ASA-6-106015: Deny TCP (no connection) from 12.182.174.2/52386 to 173.252.142.118/41002 flags RST on interface outside39
Sep 10 2012 11:22:35: %ASA-6-302013: Built inbound TCP connection 631177438 for outside39:12.182.174.2/52387 (12.182.174.2/52387) to inside:10.53.9.96/41002 (173.252.142.118/41002)
Sep 10 2012 11:22:35: %ASA-6-302014: Teardown TCP connection 631177438 for outside39:12.182.174.2/52387 to inside:10.53.9.96/41002 duration 0:00:00 bytes 0 TCP Reset-O
Sep 10 2012 11:22:36: %ASA-6-106015: Deny TCP (no connection) from 12.182.174.2/52387 to 173.252.142.118/41002 flags RST on interface outside39
Sep 10 2012 11:22:36: %ASA-6-302013: Built inbound TCP connection 631177457 for outside39:12.182.174.2/52388 (12.182.174.2/5238
to inside:10.53.9.96/41002 (173.252.142.118/41002)Sep 10 2012 11:22:36: %ASA-6-302014: Teardown TCP connection 631177457 for outside39:12.182.174.2/52388 to inside:10.53.9.96/41002 duration 0:00:00 bytes 0 TCP Reset-O
Sep 10 2012 11:22:37: %ASA-6-106015: Deny TCP (no connection) from 12.182.174.2/52388 to 173.252.142.118/41002 flags RST on interface outside39
Sep 10 2012 11:22:37: %ASA-6-302013: Built inbound TCP connection 631177489 for outside39:12.182.174.2/52390 (12.182.174.2/52390) to inside:10.53.9.96/41002 (173.252.142.118/41002)
******# sh run | in Client
object-group network Client
access-list outside_in39 extended permit tcp object-group Client object-group dds_ips object-group dds_ports
access-list outside_in39 extended permit tcp object-group Client object-group bfd_ips object-group bfd_ports
*********# sh run | in 12.182
network-object 12.182.174.0 255.255.255.0
route outside39 12.182.174.0 255.255.255.0 192.168.19.13 1
Comments
-
vishaw1986
Member Posts: 40 ■■□□□□□□□□
the tcp connection is denied on the outside interface . Check your policy for the traffic coming from outside to inside.
Paste your object group configuration -
al3kt.R***
Member Posts: 118
Try "sysopt connection timewait" in ASA config
reference: networking-forum.com - View topic - Deny tcp (no connection)"Tigranes: Good heavens! Mardonius, what kind of men have brought us to fight against? Men who do not compete for possessions, but for honour."--- Herodotus, The Histories
"Nipson anomemata me monan opsin"--- Gregory of Nazianzus
"Bruce Schneier's secure handshake is so strong, you won't be able to exchange keys with anyone else for days."--- Bruce Schneier Facts -
f0rgiv3n
Member Posts: 598 ■■■■□□□□□□
vishaw1986 wrote: »the tcp connection is denied on the outside interface . Check your policy for the traffic coming from outside to inside.
Paste your object group configuration
That's weird, I've never come across that but I've seen that error many-a-times... it could have been NAT not configured correctly or ACLs, or even the firewall's "inspect protocol".
Al3kt.R... do you know of any examples of what application/protocol would need the "two-way ack" to end the conversation?