Site-to-Site VPN Deny TCP SYN ACK on interface outside

frukeus used Ask the Experts™
I have created a Site-to-Site VPN for 2 ASA firewalls and is able to ping both internal subnets with no problem.
However, on 1 print server which is hosting a remote printer, I can unable to print. From the print server, i ran ping test and I can successfully ping
On the firewall log at, I get the following message which I believe is the problem-

Teardown TCP connection 12979303 for outside: to inside duration 0:00:00 bytes 0 TCP Reset-I
Deny TCP (no connection) from to flags SYN ACK on interface outside (Print Server)
|  (Router)
| (ASA)
VPN Tunnel
|| (ASA)
|   (printer)
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Try Pinging from the printer to the print server and let me know.
this issue is common in the asa, it can be caused by assymetric routing.  The asa is a stateful firewall - stateful inspection works is that when i.e. a TCP connection is established an entry of this connection is entered to a "state table" All segments flowing both ways on the connection after that are accepted based on this state table information instead of the firewall acl's

The other peer might not have the same information in its state table, and cannot see where the tcp connection originated from, so it blocks the tcp connection hence the error message Deny TCP (no connection) from to flags SYN ACK on interface outside

check your static routes for this network. As grape soda indicates, try pinging as he suggested if no reply on the pings, check default gateway on print server.
you could add static route in access data switches if they are managed, or try a static route on the print server  

Worst case scenario to solve routing problems on asa would be to use link state routing protocol such as ospf. works great on the asa to advertise all routes and will solve assynmetric routing issues. While I am not a great fan of having firewalls do routing, as it does add some cpu overhead, sometimes you need to bend the rules to fit your situation. Static routes are the best since they have the lowest metric and use no cpu overhead


I am unable to access the printer from my local subnet
I think feeling the printer is configured to a gateway that is and not directly to the

Could that be causing the SYN ACK deny?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

any problem with the routing can be causing this-  the printer gateway should be the local gateway on its subnet. The router on that network segment then needs information in its routing table to get to the subnet. So check the routing tables, add static routes when necessary.
Your statement regarding the gateway for the printer is the problem.  Change the gateway to match the gateway you use for the 172.10. subnet.


is there a way to disable the stateful inspection? well, at least for the 2 subnets in question.
you can only disable inspection on specific protocols and ports, ie. no fixup protocol ssh  22
stateful inpection in built into the asa code using an algorithm
I would enable ospf on the asa's for testing, adding all subnets. ospf will advertise all your routes and should solve your routing issues, if the static routes are not working (they should, though, you need to look at your network topology -routers and place static routes where needed)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial