Return Traffic Might Not Be Coming Back to the Router
With show ip inspect session command output, if you find that the session is being created but staying half-open, other devices along the path may be blocking the return traffic. There also may be issues with the route on the other destination device. If NAT is not working properly on the router, the destination device may not be able to respond back to the wrongly translated IP address of the source. As shown in Example 5-18, debug ip packet detail ACL can be used with the addition of the following line in the access-list 101 to find out if the return traffic is coming back to the router or not.
access-list 101 permit tcp host 20.1.1.1 eq 23 host 10.1.1.1