Problem:

After setting up a site to site VPN tunnel on a Cisco ASA firewall, traffic was being dropped with the message “Inbound TCP connection denied from x.x.x.x to x.x.x flags SYN on interface Outside”

Inbound TCP connect denied from x.x.x.x to x.x.x flags SYN on interface Outside

The traffic inbound on this VPN was routing to the destination at the end of another VPN tunnel. Traffic was coming in and out on the same Outside interface.

Inbound TCP connect denied from x.x.x.x to x.x.x flags SYN on interface OutsideSolution:

I already had “same-security-traffic permit intra-interface” set but in addition I also needed “same-security-traffic permit inter-interface” to be set

Warning: Always do your homework on commands before implementing them! https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-command-reference-list.html#wp1392814

Command Line

ASDM

  • Device Setup => Interface Settings => Interfaces
  • Tick
    • “Enable traffic between two or mere interfaces which are configured with same security levels”
    • “Enable traffic between two or more hosts connected to the same interface”
  • Apply
  • Save

Inbound TCP connect denied from x.x.x.x to x.x.x flags SYN on interface Outside

Author: Phil Eddies

I am an IT Operations Manager, managing all aspects of the IT infrastructure and service for a mid sized UK based company. I have been working full time in IT since 2001 in 1st to 3rd line and System Administration roles. MCSA, MCSE, CCNA, Citrix CCA