Thursday, January 12, 2012

Inbound TCP Connection denied flags SYN on interface

I’ve had a few times I noticed some networks could talk to each other and some would be denied. I found messages like the one below in the syslog (or in log viewer).

ASA-2-106001


Inbound TCP connection denied from X.X.X.X to 
Y.Y.Y.Y flags SYN on interface interface_name



It turns out most of the time the interface is created with a incorrect security level on the interfaces. Security levels by default are used to allow implicit rules to communicate with lesser secure networks without having to maintain rules. For example a network with security level of 50 would be able to access a network 40 without any issues.



image



But for most the times I run into this issue its because same security level blocking. This is also on by default and the fix is either to change the security levels of one of the effected interfaces or enable that security policy. To enable the security policy either use the command below or check the Enable traffic between two or more interfaces which are configured with same security levels.




same-security-traffic permit inter-interface




image

1 comment:

Anonymous said...

Thanks, did the trick!!