TCP error message

Unanswered Question
Dec 3rd, 2009

Hello all,

I am looking for some help. This is a strange one. My ASA5510 (ver 8.2(1)) works fine with other web site. But for some reason, we cannot access a website called: http://scrumforteamsystem.com/

I can access from my other location using PIX525 and outside of my network.

I did trace route, it looks like the destination unreachable from inside of my network. But if do a trace route from outside of network, it does the same thing.

Here is "sh conn" or "sh local-host" with saA error message.

TCP att 152.62.108.17:80 Inside 172.25.2.119:3691, idle 0:00:10, bytes 0, flags saA

But my question is why outside of my network can access the web site but we cannot even has the same issue "destination unreachable"? How do I fix the problem?

really thank you for all your help!

GP

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Thu, 12/03/2009 - 13:37

TCP att 152.62.108.17:80 Inside 172.25.2.119:3691, idle 0:00:10, bytes 0, flags saA

Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
       B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media,
       D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,
       G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
       i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
       k - Skinny media, M - SMTP data, m - SIP media, n - GUP
       O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,
       q - SQL*Net data, R - outside acknowledged FIN,
       R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
       s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
       V - VPN orphan, W - WAAS,
       X - inspected by service module

saA means that the host on the inside is waiting for a syn ack from the outside host.  The webserver isn't responding back. The logs would problem say syn timeout.

When you say you are able to load the same site from the outside, what IP address are you looking like when you access this same website from the outside? Take that same IP address and use that to translate the inside host on the firewall and try to access the same page and see if it works.

-KS

gpan667788 Thu, 12/03/2009 - 13:59

Hello KS,

Really appreciate for your reply.

Basically I did not the ip address for the testing; I was using the DNS name of the website for the test and it translate to the same IP address. (it also showed up the same IP public ip addresses in both firewalls ASA5510 and PIX).

1. the following is the a trace from the location has saA error message:

H:\>tracert www.scrumforteamsystem.com

Tracing route to www.scrumforteamsystem.com [152.62.108.17]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms 
  2     1 ms     1 ms     1 ms 
  3     1 ms    <1 ms    <1 ms  12.91.194.85
  4     2 ms     1 ms     1 ms  cr84.cgcil.ip.att.net [12.122.132.226]
  5     2 ms     1 ms     1 ms  cr2.cgcil.ip.att.net [12.123.7.250]
  6     1 ms     1 ms     1 ms  ggr3.cgcil.ip.att.net [12.122.132.9]
  7     1 ms     1 ms     1 ms  192.205.34.206
  8    77 ms     3 ms   213 ms  te3-4.mpd01.ord03.atlas.cogentco.com [154.54.3.2
34]
  9    69 ms   217 ms     2 ms  te2-4.mpd01.ord01.atlas.cogentco.com [154.54.6.2
05]
10   165 ms   193 ms    27 ms  te9-2.mpd03.jfk02.atlas.cogentco.com [154.54.29.
162]
11   103 ms   103 ms   103 ms  te3-2.mpd02.lon01.atlas.cogentco.com [66.28.4.19
0]
12   112 ms   112 ms   112 ms  te3-8.ccr01.lon01.atlas.cogentco.com [130.117.1.
133]
13   121 ms   121 ms   121 ms  te1-2.ccr01.dub01.atlas.cogentco.com [130.117.0.
130]
14   122 ms   122 ms   122 ms  149.6.4.158
15   112 ms   112 ms   112 ms  ge6-3.sw002.cwt.esat.net [193.95.131.70]
16   111 ms   111 ms   111 ms  vlan54.sw502.cwt.esat.net [193.95.130.162]
17   111 ms   111 ms   111 ms  ge5-2.sw532.cwt.esat.net [193.95.137.35]
18  emc-gw.cr532.cwt.esat.net [193.120.29.182]  reports: Destination net unreac
hable.

Trace complete.

2. this trace is from the location can view the website:

C:\Users>tracert www.scrumforteamsystem.com

Tracing route to www.scrumforteamsystem.com [152.62.108.17]
over a maximum of 30 hops:

  1     2 ms    <1 ms     1 ms 
  2     1 ms    <1 ms    <1 ms  core3.te2-2-bbnet2.chg.pnap.net [64.94.32.67]
  3     1 ms    <1 ms    <1 ms  GigabitEthernet5-0.GW1.CHI13.ALTER.NET [157.130.
102.245]
  4     1 ms    <1 ms    <1 ms  0.so-6-2-0.XL4.CHI13.ALTER.NET [152.63.69.182]
  5    27 ms    27 ms    28 ms  0.so-3-0-0.IL4.NYC9.ALTER.NET [152.63.23.177]
  6    27 ms    27 ms    26 ms  so-1-0-0.IL2.NYC12.ALTER.NET [146.188.15.1]
  7   112 ms   112 ms   112 ms  so-1-0-0.XT1.DUB2.ALTER.NET [146.188.15.105]
  8   112 ms   112 ms   105 ms  gigabitethernet8-0-0.gw5.dub2.alter.net [158.43.
152.39]
  9     *        *     212.120.129.182  reports: Destination net unreachable.

Trace complete.

I don't understand why both destinations are unreachable but one can see and another cannot. It looks like the first traceroute is a routing or BGP peering issue. But I don't understand why the second one is working.

KS, also I don't understand what do you want me to test? You mentioned "Take that same IP address and use that to translate the inside host on the firewall and try to access the same page and see if it works."

thanks again for all your help!

GP

Kureli Sankar Thu, 12/03/2009 - 14:49

Now, this is traceroute through the firewall. That is completely diff from not being able to access the website.

You need to allow traceroute through the firewall. Pls. check this link and add the necessary inspection and allow icmp time exceeded and unreachable to come back in for trace to complete.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Coming to what I was asking you to try is this.

1. You mentioned you were able to access the website by name on the outside correct? You were uisng a pc or laptop for this test. What IP address did you give this laptop? Some public IP address correct? I suggested to use the same IP address on the firewall to translate the inside host and see if the same website works. For example on the inside host behind the firewall if you were to go to http://ipchicken.com it should show you the same IP address that you gave the PC/laptop to test from the outside.

2. It appears like the website on the internet selectively responds back to certain IP addresses but not to others.  We have seen cases like this.

Give that a shot and let me know.

-KS

Actions

This Discussion