Tuesday, June 24, 2014

Deny TCP (no connection)

Hi Guys

If you ever see the error message Deny TCP (No connection), it's the ASA's way of saying that a flow attempting to go through it, doesn't seem to be following the correct TCP session flow (SYN, SYN ACK etc.)

This is 99 percent caused by aysmetric routing, consider this example (Note: this is a terrible topology and deliberately so, that's what causes the problem, bad topology and bad design)



Ok lets just quickly go over things, Server1 has an ip address 10.0.0.10, FW is 10.0.0.254 and the router in this subnet is 10.0.0.1.

Server1 needs to talk to 10.1.1.2 which is a device hanging off the router, we can see it in our diagram.

If the server is incorrectly configured to point to the firewall as its default gateway in this instance, something bad will happen:

The server will send a frame to its default gateway 10.0.0.254, the firewall will see this packet and forward it to the router, the router will then receive the packet and forward it to 10.1.1.2, so far so good right?

10.1.1.2 will then reply via the router, the router is directly connected to 10.0.0.0/24, so it sends the reply packet straight to server1.


Server1 then sends the next packet in the TCP session.. the packet arrives at the firewall, the firewall says "Wait a minute!!! I never saw the reply packet come back! This is an invalid TCP session!"

You will then see the message

"Deny TCP (No Connection)"


Hopefully that clears up this error in your ASA and what (normally) causes it, having two exit points on a network that a server exists on is often a bad design, note that things like ICMP redirect and some other tricks could be used to mitigate this, but ultimately if you have your server on a subnet with multiple exits out of that subnet (and not in some sort of redundancy configuration i.e. two routers with HSRP), you should ask yourself if there is a better way.