Connection status

Unanswered Question


Here i showed some diff of established connections.more over i have given all the necessary access in my firewall.but there were no data flow..only sing connections are establishing. these connections are happening after passing some diff hops from outside to inside.kinldy let me know from which part i have to troubleshoot(firewall r router r application part)

TCP out in idle 0:01:35 Bytes 0 flags SaAB

TCP out in idle 0:01:42 Bytes 0 flags SaAB

i need to establish the connections with data flow...then only it would be a meaning full connection

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
abinjola Thu, 02/14/2008 - 05:24

"B" indicates initial syn from outside to inside, A (awaiting for synack)

This means your local server did not respond with a SYN ACK for this SYN request that was generated from outside

check the default gateway on your local server

Thanks abinjola.

Gateway seems to be correct.





Server gateway given as a CrSw management ip.

If i tracert from outside to is stopped up to R2..I think Firewall won't show the interface ip's..Once connections are established means there is no prolem with Firewall end rite...

abinjola Thu, 02/14/2008 - 07:05

well yes you are correct..tracert doesn't show up firewall interfaces ips as hops, check if you are blocking icmp of r2 or firewall outside interface , thats the reason tracert or ping not going through

Coming down to original issue it seems either the switch(CrSW) or server is dropping and not replying to syn request

set the packet captures on inside interface of pix which would verify if there is any return reply from the server

access-l abc permit ip host <10.x.x.x> host

access-l abc permit ip host host 10.x.x.x

capture cpi access-l abc packet-length 1518 interface inside

10.x.x.x-->is the outside source ip

sh capture cpi (after you initiate test)

ALso take syslogs at debug level which would show syntimeout


Thanks for ur response. U r absolutely correct. The link which was terminated in R2 router is the redundant link..primry link is terminated in some other router with one more firewall(F2) resides in CrSW.So already we have return route in CrSw tends to F2. So we can not add one more route in the same devices (CrSw) for same destination. It will happen only we have to change the route manually when the link goes down r If u have any other solution kindly let me know.The big limitation here is we are uanble to change the design..we have to achieve the route with the present design only..I think it will not possible..Possible only with manual router change.

abinjola Fri, 02/15/2008 - 01:34

I am glad we were able to figure it out...

Now we need a route on CrSW back to FW since the original source IP from outside is not Natted , but if you nat the source IP to firewall inside interface as well (called outside NAT) then the switch would receive the packet with source being translated to firewall inside ip address, and therefore for return reply the firewall would proxy and packet would go through..

add this

nat (outside) 1 outside

global (inside) 1 interface

see if this works !


This Discussion