Web Server Redirecting Traffic to Port 443 Not Working on 5505

Unanswered Question
Nov 20th, 2008

We have an Exchange server that is accessible on port 80 and 443 from the outside. When you go to the website using http, you should be redirected to https automatically. It works this was internally.

On the firewall (Cisco ASA 5505), I am allowing traffic from anywhere to the Exchange server on ports 80 and 443 .

The redirection is not working from the outside, however, it does work on the inside.

When I logged the ip address that I was coming from I get:

Teardown TCP connection 638459 for outside:x.y.z.1/9590 to inside:Servername/80 duration 0:00:30 bytes 0 SYN Timeout

This is preventing our users with cell phones to sycnh up properly to the Exchange server.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
torchris Sun, 11/23/2008 - 13:42

The SYN timeout keyword means that there was no response from the server for the SYN packet sent from the client.

Why don't you try with a packet sniffer on the server to verify if he is sending the SYN ACK packet.

Let me know if this helps.

MATTHEW BECK Tue, 11/25/2008 - 14:33


Does it work with laptops or other hosts and just not the cell phones?

Your teardown log entry indicates the client attempted to contact the server on port 80/http and the server never responded. I would expect to see something like:

setup conn outside to inside/80

teardown conn outside to inside/80 FIN

setup conn outside to inside/443

If things were working right.

Good luck,


Harald-Norvik Tue, 11/25/2008 - 19:39

1) Do you nat the interface IP to the exchange server or do you have a static entry with a different external IP?

If you use the interface IP, you cannot run ASDM on that interface. I recommend actually in this case to put asdm on completely different port for the ASA.

Command http server enable

2) I wouldn't recommend running any sniffer software on a server - however it may actually work out. Just use the capture command on the ASA and see what you get on the outside and the inside or dmz interface.

I have found it rather useful to have a capture with the same ACL for both interfaces that the traffic should pass. This way I would know if the packet passes the ASA or get blocked.

Command: Capture access-list Interface packet-len 1522

If you use the same line twice, but just replace the , you will get one capture file with traffic entering from each side of the ASA.

Then download the capture and analyse it (check out wireshark.org).


You can also run a sniffer on your PC and compare this to the capture on the


This Discussion