RST,ACK capture on ASA

Unanswered Question
Oct 30th, 2009
User Badges:

I have setup a capture on our ASA. We are trying to connect across a VPN tunnel wiht a certain app and it wont connect.

We can telnet and SSH to the device across the tunnel OK. It is just this one app that wont start.

I have a capture set up on the inside interface of our ASA and what I see are SYN packets leaving the device on our inside interface, and RST, ACK packets coming back from the device on the remote side of the tunnel.

The egress connection attempt from the device on the inside network tries the connection using a destination port of 4000. Does this mean that the device on the other end of the tunnel is not listening on port 4000?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Fri, 10/30/2009 - 13:42
User Badges:
  • Cisco Employee,

Are you capturing the SYN and the RST on the remote ASA inside interface that is close to the server that you are talking to on port 4000?

If yes, then probably that' s it.


A RST is sent be the device because it is not listening or there is an IPS in line, or a FW that spoofs that RST.


I hope it helps.


PK




Kevin Melton Fri, 10/30/2009 - 14:02
User Badges:

Well there is no remote ASA. On the remote end there is something called a digi box. It uses a wireless broadband card to connect to the Internet, and has ethernet ports on the other side. I dont think there is any way to do a packet capture on the other end to answer your question.

Panos Kampanakis Sat, 10/31/2009 - 08:55
User Badges:
  • Cisco Employee,

(in)ASA-----remote device----server


So the capture is taken on the ASA in port? and it shows SYN and RST?


Where is the VPN tunnel terminated? If it is L2L and there is some ASA in the middle that terminates it can that ASA do packet captures closes to the server to prove out point for the RST?


What does the ASA say int its logs? Does it say "Connection torn down due to RST-O? That is enough to say that the RST is sent from the remote side.


PK


Kevin Melton Sat, 10/31/2009 - 14:15
User Badges:

The digi box on the remote side actually works as a tunnel end point. It is a site to site tunnel.

The device on the in interface of the ASA is located @ 192.168.3.50. The device we are talking to and attempting to get to connect on port 4000 is at 192.168.200.2.

In the trace file captured on the in interface on the ASA, you see 192.168.3.50 send a SYN. the device at 192.168.200.2 always sends a "RST,ACK". This happens over and over again.

Diego Armando C... Sun, 11/01/2009 - 10:53
User Badges:
  • Bronze, 100 points or more

If the firewall is forwarding the SYN and it's getting a reset there is nothing that you can do in the ASA. Can you take captures in the server with ethereal or wireshark to see if the packets are hitting the server?

Actions

This Discussion