Deny TCP (no connection)

Hi Guys

If you ever see the error message Deny TCP (No connection), it's the ASA's way of saying that a flow attempting to go through it, doesn't seem to be following the correct TCP session flow (SYN, SYN ACK etc.)

This is 99 percent caused by aysmetric routing, consider this example (Note: this is a terrible topology and deliberately so, that's what causes the problem, bad topology and bad design)



Ok lets just quickly go over things, Server1 has an ip address 10.0.0.10, FW is 10.0.0.254 and the router in this subnet is 10.0.0.1.

Server1 needs to talk to 10.1.1.2 which is a device hanging off the router, we can see it in our diagram.

If the server is incorrectly configured to point to the firewall as its default gateway in this instance, something bad will happen:

The server will send a frame to its default gateway 10.0.0.254, the firewall will see this packet and forward it to the router, the router will then receive the packet and forward it to 10.1.1.2, so far so good right?

10.1.1.2 will then reply via the router, the router is directly connected to 10.0.0.0/24, so it sends the reply packet straight to server1.


Server1 then sends the next packet in the TCP session.. the packet arrives at the firewall, the firewall says "Wait a minute!!! I never saw the reply packet come back! This is an invalid TCP session!"

You will then see the message

"Deny TCP (No Connection)"


Hopefully that clears up this error in your ASA and what (normally) causes it, having two exit points on a network that a server exists on is often a bad design, note that things like ICMP redirect and some other tricks could be used to mitigate this, but ultimately if you have your server on a subnet with multiple exits out of that subnet (and not in some sort of redundancy configuration i.e. two routers with HSRP), you should ask yourself if there is a better way.

5 comments:

  1. I know this article is over a year old, but I'm hoping you are still monitoring comments. Thanks for the article. The problem and the setup matched mine exactly. I understand why it is happening now, but I'm not sure how to fix it. You said that having multiple exit points is bad, but I can't see any other way to accomplish my goal. One of my routers connects us to the outside web, and the other router connects us to the building next door. That building is on a separate LAN and a separate subnet, but there is a physical connection between the two buildings. What would be the best topology for this situation?

    ReplyDelete
  2. In my case this was a problem of being able to get to the intended device but an interface on that device not having a route back to me. I added a static route to that interface enabling return traffic to flow properly and thus solving the issue

    ReplyDelete
  3. Thanks for the article, great knowledge

    ReplyDelete

Popular old posts.