cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2404
Views
0
Helpful
5
Replies

RST,ACK capture on ASA

Kevin Melton
Level 2
Level 2

I have setup a capture on our ASA. We are trying to connect across a VPN tunnel wiht a certain app and it wont connect.

We can telnet and SSH to the device across the tunnel OK. It is just this one app that wont start.

I have a capture set up on the inside interface of our ASA and what I see are SYN packets leaving the device on our inside interface, and RST, ACK packets coming back from the device on the remote side of the tunnel.

The egress connection attempt from the device on the inside network tries the connection using a destination port of 4000. Does this mean that the device on the other end of the tunnel is not listening on port 4000?

5 Replies 5

Panos Kampanakis
Cisco Employee
Cisco Employee

Are you capturing the SYN and the RST on the remote ASA inside interface that is close to the server that you are talking to on port 4000?

If yes, then probably that' s it.

A RST is sent be the device because it is not listening or there is an IPS in line, or a FW that spoofs that RST.

I hope it helps.

PK

Well there is no remote ASA. On the remote end there is something called a digi box. It uses a wireless broadband card to connect to the Internet, and has ethernet ports on the other side. I dont think there is any way to do a packet capture on the other end to answer your question.

(in)ASA-----remote device----server

So the capture is taken on the ASA in port? and it shows SYN and RST?

Where is the VPN tunnel terminated? If it is L2L and there is some ASA in the middle that terminates it can that ASA do packet captures closes to the server to prove out point for the RST?

What does the ASA say int its logs? Does it say "Connection torn down due to RST-O? That is enough to say that the RST is sent from the remote side.

PK

The digi box on the remote side actually works as a tunnel end point. It is a site to site tunnel.

The device on the in interface of the ASA is located @ 192.168.3.50. The device we are talking to and attempting to get to connect on port 4000 is at 192.168.200.2.

In the trace file captured on the in interface on the ASA, you see 192.168.3.50 send a SYN. the device at 192.168.200.2 always sends a "RST,ACK". This happens over and over again.

If the firewall is forwarding the SYN and it's getting a reset there is nothing that you can do in the ASA. Can you take captures in the server with ethereal or wireshark to see if the packets are hitting the server?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: