Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
522
Views
0
Helpful
3
Replies

Web Server Redirecting Traffic to Port 443 Not Working on 5505

ventivcisco
Level 1
Level 1

‎11-20-2008 11:31 AM - edited ‎03-11-2019 07:16 AM

We have an Exchange server that is accessible on port 80 and 443 from the outside. When you go to the website using http, you should be redirected to https automatically. It works this was internally.

On the firewall (Cisco ASA 5505), I am allowing traffic from anywhere to the Exchange server on ports 80 and 443 .

The redirection is not working from the outside, however, it does work on the inside.

When I logged the ip address that I was coming from I get:

Teardown TCP connection 638459 for outside:x.y.z.1/9590 to inside:Servername/80 duration 0:00:30 bytes 0 SYN Timeout

This is preventing our users with cell phones to sycnh up properly to the Exchange server.

Labels:
0 Helpful
3 Replies 3

torchris
Level 1
Level 1

‎11-23-2008 01:42 PM

The SYN timeout keyword means that there was no response from the server for the SYN packet sent from the client.

Why don't you try with a packet sniffer on the server to verify if he is sending the SYN ACK packet.

Let me know if this helps.

0 Helpful

MATTHEW BECK
Level 1
Level 1

‎11-25-2008 02:33 PM

Hi,

Does it work with laptops or other hosts and just not the cell phones?

Your teardown log entry indicates the client attempted to contact the server on port 80/http and the server never responded. I would expect to see something like:

setup conn outside to inside/80

teardown conn outside to inside/80 FIN

setup conn outside to inside/443

If things were working right.

Good luck,

Matt

0 Helpful

Harald-Norvik
Level 1
Level 1

‎11-25-2008 07:39 PM

1) Do you nat the interface IP to the exchange server or do you have a static entry with a different external IP?

If you use the interface IP, you cannot run ASDM on that interface. I recommend actually in this case to put asdm on completely different port for the ASA.

Command http server enable

2) I wouldn't recommend running any sniffer software on a server - however it may actually work out. Just use the capture command on the ASA and see what you get on the outside and the inside or dmz interface.

I have found it rather useful to have a capture with the same ACL for both interfaces that the traffic should pass. This way I would know if the packet passes the ASA or get blocked.

Command: Capture access-list Interface packet-len 1522

If you use the same line twice, but just replace the , you will get one capture file with traffic entering from each side of the ASA.

Then download the capture and analyse it (check out wireshark.org).

Harald

You can also run a sniffer on your PC and compare this to the capture on the

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card