I was setting up a site to site VPN over MPLS link and ran into this error message: Inbound TCP connection denied from … to … flags SYN on interface…
This error would generate when traffic was entering Hub ASA and was suppose to traverse VPN tunnel and reach the client on the Spoke side. The following were confirmed and cleared:
- VPN tunnel on Outside interface was working correctly ruling out hardware or code
- No ACL restrictions on Internal interface
- Routing and NAT was setup correctly
- Tunnel established and passing bi-directional traffic for source and destination
- Packet tracer from Hub was indicating that packet was dropped due to an ACL configured
- Connectivity from the spoke was successful!
The last finding got me very puzzled. Clearly, this was not VPN related but something at the Hub was preventing traffic from hitting the tunnel. I knew something easy and simple was braking it and browsing through this Cisco supportforum gave me a hint – Security Level. My MPLS facing interface, where VPN tunnel terminated, was setup with security level 100. As soon as I’ve changed it to 90 traffic from the Hub started flowing. Lesson learned.