Link to home
Start Free TrialLog in
Avatar of be_root
be_root

asked on

Cisco ASA 5520 error 106015

Hello dear experts. Please help me resolve my problem. My company disaded to migrate all network devices on cisco, I havent problems with configure of routers and swithes, but have some problems with ASA firewals.
Let me explane to you my network map. I have 3 HQ offices in one sity is DataCentre Block, my CampusModel Block, and my second office( its for only 65 people). More i have 17 SOHO regions they connecting thru the ipsec over internet ( its work perfectly).

My devices in core layer is (3825 and one 2960, soon ill change them on to 3750 in stack)
My Firewall in Campus is ASA 5520
And My Firewall in DataCetre is FreeBSD
Internet is also connecting to FreeBSD with ASA 5540
Well question is: My Campus FW drops TCP session after hold on near 20 minutes with error 106015 for example Deny TCP (no connection) from 192.168.240.243/23 to 192.168.2.248/2014 flags FIN PSH ACK  on interface 240
Because ASA is not supports IPIP or GRE tunneling i done defaul route to the core, and then direct ipsec to DataCentre FW, also im using DHCP relay on my Windows server. Please help me to solve it. Thank you!

My ASA conf is

Open in new window

ASA Version 8.3(1)
!
hostname GW-ALA-MO
enable password HGZ6CLO2y4qv2hrb encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 192.168.63.14 255.255.255.252
!
interface GigabitEthernet0/1
 description trunk
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.100
 description Office_DMZ
 vlan 100
 nameif dmz
 security-level 20
 ip address 10.100.100.1 255.255.255.0
!
interface GigabitEthernet0/1.240
 description Admin_Vlan
 vlan 240
 nameif 240
 security-level 0
 ip address 192.168.240.1 255.255.255.0
!
interface GigabitEthernet0/1.241
 description Block_GenDir
 vlan 241
 nameif 241
 security-level 0
 ip address 192.168.241.1 255.255.255.0
!
interface GigabitEthernet0/1.242
 description Admin_Block
 vlan 242
 nameif 242
 security-level 0
 ip address 192.168.242.1 255.255.255.0
!
interface GigabitEthernet0/1.243
 description Fin_Block
 vlan 243
 nameif 243
 security-level 0
 ip address 192.168.243.1 255.255.255.0
!
interface GigabitEthernet0/1.244
 description Comm_Block
 vlan 244
 nameif 244
 security-level 0
 ip address 192.168.244.1 255.255.255.0
!
interface GigabitEthernet0/1.245
 description Block_IT
 vlan 245
 nameif 245
 security-level 0
 ip address 192.168.245.1 255.255.255.0
!
interface GigabitEthernet0/1.246
 description Block_TECH
 vlan 246
 nameif 246
 security-level 0
 ip address 192.168.246.1 255.255.255.0
!
interface GigabitEthernet0/1.247
 description Wireless_LAN
 vlan 247
 nameif 247
 security-level 0
 ip address 192.168.247.1 255.255.255.0
!
interface GigabitEthernet0/1.248
 description EDU_LAN
 vlan 248
 nameif 248
 security-level 0
 ip address 192.168.248.1 255.255.255.0
!
interface GigabitEthernet0/1.249
 description Guest_LAN
 vlan 249
 nameif 249
 security-level 0
 ip address 192.168.249.1 255.255.255.0
!
interface GigabitEthernet0/1.251
 description Guest2_LAN
 vlan 251
 nameif 251
 security-level 0
 ip address 192.168.251.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif mgmt
 security-level 99
 no ip address
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone Almaty 6
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network mo-subnet
 subnet 192.168.240.0 255.255.240.0
object-group network vpnip
 description dst vpn subnet
 network-object 10.200.200.0 255.255.248.0
 network-object 172.16.219.0 255.255.255.0
 network-object 172.16.241.0 255.255.255.0
 network-object 172.16.33.0 255.255.255.0
 network-object 172.16.35.0 255.255.255.0
 network-object 192.168.2.0 255.255.255.0
 network-object 192.168.224.0 255.255.240.0
 network-object 192.168.3.0 255.255.255.0
 network-object 192.168.4.0 255.255.255.0
access-list global extended permit icmp any any echo-reply
access-list global extended permit icmp any any unreachable
access-list global extended permit icmp any any echo
access-list global extended permit icmp any any time-exceeded
access-list global extended permit ip any any
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 192.168.2.0 255.255.255.0
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 192.168.3.0 255.255.255.0
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 192.168.4.0 255.255.255.0
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 10.200.200.0 255.255.248.0
access-list vpn extended permit ip 192.168.240.0 255.255.255.0 192.168.224.0 255.255.240.0
access-list vpn extended permit ip 192.168.245.0 255.255.255.0 192.168.224.0 255.255.240.0
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 172.16.33.0 255.255.255.0
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 172.16.35.0 255.255.255.0
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 172.16.241.0 255.255.255.0
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 172.16.219.0 255.255.255.0
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 172.16.0.0 255.255.255.0 inactive
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 173.16.0.0 255.255.255.0 inactive
pager lines 24
logging enable
logging timestamp
logging list auth level debugging class auth
logging buffer-size 8192
logging buffered errors
logging trap errors
logging history errors
logging asdm errors
logging device-id hostname
logging host 240 10.200.201.6
logging debug-trace
logging class auth trap debugging
logging class config trap debugging
flow-export destination 240 10.200.201.6 9996
flow-export template timeout-rate 1
mtu outside 1500
mtu dmz 1500
mtu 240 1500
mtu 241 1500
mtu 242 1500
mtu 243 1500
mtu 244 1500
mtu 245 1500
mtu 246 1500
mtu 247 1500
mtu 248 1500
mtu 249 1500
mtu 251 1500
mtu mgmt 1500
ip verify reverse-path interface outside
ip verify reverse-path interface dmz
ip verify reverse-path interface 240
ip verify reverse-path interface 241
ip verify reverse-path interface 242
ip verify reverse-path interface 243
ip verify reverse-path interface 244
ip verify reverse-path interface 246
ip verify reverse-path interface 247
ip verify reverse-path interface 248
ip verify reverse-path interface 249
ip verify reverse-path interface 251
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any echo outside
icmp permit any time-exceeded outside
icmp permit any echo-reply dmz
icmp permit any unreachable dmz
icmp permit any echo dmz
icmp permit any time-exceeded dmz
icmp permit any echo-reply 240
icmp permit any unreachable 240
icmp permit any echo 240
icmp permit any time-exceeded 240
icmp permit any echo-reply 241
icmp permit any unreachable 241
icmp permit any echo 241
icmp permit any time-exceeded 241
icmp permit any echo-reply 242
icmp permit any unreachable 242
icmp permit any echo 242
icmp permit any time-exceeded 242
icmp permit any echo-reply 243
icmp permit any unreachable 243
icmp permit any echo 243
icmp permit any time-exceeded 243
icmp permit any echo-reply 244
icmp permit any unreachable 244
icmp permit any echo 244
icmp permit any time-exceeded 244
icmp permit any echo-reply 245
icmp permit any unreachable 245
icmp permit any echo 245
icmp permit any time-exceeded 245
icmp permit any echo-reply 246
icmp permit any unreachable 246
icmp permit any echo 246
icmp permit any time-exceeded 246
icmp permit any echo-reply 247
icmp permit any unreachable 247
icmp permit any echo 247
icmp permit any time-exceeded 247
icmp permit any echo-reply 248
icmp permit any unreachable 248
icmp permit any echo 248
icmp permit any time-exceeded 248
icmp permit any echo-reply 249
icmp permit any unreachable 249
icmp permit any echo 249
icmp permit any time-exceeded 249
icmp permit any echo-reply mgmt
icmp permit any unreachable mgmt
icmp permit any echo mgmt
icmp permit any time-exceeded mgmt
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (any,outside) source static mo-subnet mo-subnet destination static vpnip vpnip
nat (245,outside) source static mo-subnet mo-subnet inactive
access-group global global
route outside 0.0.0.0 0.0.0.0 192.168.63.13 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
aaa local authentication attempts max-fail 16
http server enable
http 192.168.2.251 255.255.255.255 240
http 192.168.2.249 255.255.255.255 240
http 192.168.2.248 255.255.255.255 240
http 192.168.245.71 255.255.255.255 245
http 192.168.245.77 255.255.255.255 245
snmp-server host 240 10.200.201.3 community *****
snmp-server host 240 10.200.201.6 community *****
snmp-server location KZ,Almaty,Tolebi st.101,Main Office,8th floor,block "C"
snmp-server contact admin@mtelecom.kz
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps ipsec start stop
crypto ipsec transform-set DES-SHA-HMAC esp-des esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-HMAC esp-3des esp-sha-hmac
crypto ipsec transform-set DES-SHA-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set 3DES-SHA-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set AES esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside 10 match address vpn
crypto map outside 10 set pfs group5
crypto map outside 10 set peer 192.168.60.14
crypto map outside 10 set transform-set 3DES-SHA-HMAC
crypto map outside 10 set security-association lifetime seconds 86400
crypto map outside 10 set security-association lifetime kilobytes 4608000
crypto map outside 10 set phase1-mode aggressive
crypto map outside interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 5
 lifetime 3600
crypto isakmp policy 65535
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime 86400
telnet 8.0.32.0 10.100.100.1 251
telnet timeout 5
ssh 192.168.2.251 255.255.255.255 outside
ssh 192.168.2.249 255.255.255.255 outside
ssh 192.168.2.248 255.255.255.255 outside
ssh 10.200.201.6 255.255.255.255 outside
ssh 192.168.2.251 255.255.255.255 240
ssh 192.168.2.249 255.255.255.255 240
ssh 192.168.2.248 255.255.255.255 240
ssh 10.200.201.6 255.255.255.255 240
ssh 192.168.245.71 255.255.255.255 245
ssh 192.168.245.77 255.255.255.255 245
ssh timeout 60
ssh version 2
console timeout 0
management-access 240
dhcprelay server 192.168.240.4 240
dhcprelay enable 241
dhcprelay enable 242
dhcprelay enable 243
dhcprelay enable 244
dhcprelay enable 245
dhcprelay enable 246
dhcprelay enable 247
dhcprelay enable 248
dhcprelay enable 249
dhcprelay enable 251
dhcprelay setroute 241
dhcprelay setroute 242
dhcprelay setroute 243
dhcprelay setroute 244
dhcprelay setroute 245
dhcprelay setroute 246
dhcprelay setroute 247
dhcprelay setroute 248
dhcprelay setroute 249
dhcprelay setroute 251
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.2.1 source 240
webvpn
username admin password 80XlMizGu/OFSeeF encrypted privilege 15
username anton password VjRLkMAgG3K/7POJ encrypted
username filipp password Uko.HF3AEtKcyptL encrypted
tunnel-group 192.168.60.14 type ipsec-l2l
tunnel-group 192.168.60.14 ipsec-attributes
 pre-shared-key *****
 isakmp keepalive disable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect ip-options
 class class-default
  flow-export event-type all destination 10.200.201.6
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d7439dc7ba18791a89fefa639d4a3f27
: end

Open in new window

Avatar of DIPRAJ
DIPRAJ
Flag of India image

FRom cisco support********

Error Message    %PIX|ASA-6-106015: Deny TCP (no connection) from IP_address/port to
IP_address/port flags tcp_flags on interface interface_name.

Explanation    The security appliance discarded a TCP packet that has no associated connection in the security appliance's connection table. The security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the security appliance discards the packet.

Recommended Action    None required unless the security appliance receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent.



****************************************************************************************
http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logsev.html
Avatar of be_root
be_root

ASKER

diprajbasu thanks for yore answer, i can see it in my asdm logging. maby you can explane mo detail about this problem, Tank yuo!
Avatar of be_root

ASKER

And more interesting i cant ping another default GW from any subnet
ASKER CERTIFIED SOLUTION
Avatar of be_root
be_root

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.