10-30-2009 11:38 AM - edited 03-11-2019 09:34 AM
I have setup a capture on our ASA. We are trying to connect across a VPN tunnel wiht a certain app and it wont connect.
We can telnet and SSH to the device across the tunnel OK. It is just this one app that wont start.
I have a capture set up on the inside interface of our ASA and what I see are SYN packets leaving the device on our inside interface, and RST, ACK packets coming back from the device on the remote side of the tunnel.
The egress connection attempt from the device on the inside network tries the connection using a destination port of 4000. Does this mean that the device on the other end of the tunnel is not listening on port 4000?
10-30-2009 01:42 PM
Are you capturing the SYN and the RST on the remote ASA inside interface that is close to the server that you are talking to on port 4000?
If yes, then probably that' s it.
A RST is sent be the device because it is not listening or there is an IPS in line, or a FW that spoofs that RST.
I hope it helps.
PK
10-30-2009 02:02 PM
Well there is no remote ASA. On the remote end there is something called a digi box. It uses a wireless broadband card to connect to the Internet, and has ethernet ports on the other side. I dont think there is any way to do a packet capture on the other end to answer your question.
10-31-2009 08:55 AM
(in)ASA-----remote device----server
So the capture is taken on the ASA in port? and it shows SYN and RST?
Where is the VPN tunnel terminated? If it is L2L and there is some ASA in the middle that terminates it can that ASA do packet captures closes to the server to prove out point for the RST?
What does the ASA say int its logs? Does it say "Connection torn down due to RST-O? That is enough to say that the RST is sent from the remote side.
PK
10-31-2009 02:15 PM
The digi box on the remote side actually works as a tunnel end point. It is a site to site tunnel.
The device on the in interface of the ASA is located @ 192.168.3.50. The device we are talking to and attempting to get to connect on port 4000 is at 192.168.200.2.
In the trace file captured on the in interface on the ASA, you see 192.168.3.50 send a SYN. the device at 192.168.200.2 always sends a "RST,ACK". This happens over and over again.
11-01-2009 10:53 AM
If the firewall is forwarding the SYN and it's getting a reset there is nothing that you can do in the ASA. Can you take captures in the server with ethereal or wireshark to see if the packets are hitting the server?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: