TCP error message

Unanswered Question
Dec 3rd, 2009
User Badges:

Hello all,

I am looking for some help. This is a strange one. My ASA5510 (ver 8.2(1)) works fine with other web site. But for some reason, we cannot access a website called:

I can access from my other location using PIX525 and outside of my network.

I did trace route, it looks like the destination unreachable from inside of my network. But if do a trace route from outside of network, it does the same thing.

Here is "sh conn" or "sh local-host" with saA error message.

TCP att Inside, idle 0:00:10, bytes 0, flags saA

But my question is why outside of my network can access the web site but we cannot even has the same issue "destination unreachable"? How do I fix the problem?

really thank you for all your help!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kureli Sankar Thu, 12/03/2009 - 13:37
User Badges:
  • Cisco Employee,

TCP att Inside, idle 0:00:10, bytes 0, flags saA

Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
       B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media,
       D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,
       G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
       i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
       k - Skinny media, M - SMTP data, m - SIP media, n - GUP
       O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,
       q - SQL*Net data, R - outside acknowledged FIN,
       R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
       s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
       V - VPN orphan, W - WAAS,
       X - inspected by service module

saA means that the host on the inside is waiting for a syn ack from the outside host.  The webserver isn't responding back. The logs would problem say syn timeout.

When you say you are able to load the same site from the outside, what IP address are you looking like when you access this same website from the outside? Take that same IP address and use that to translate the inside host on the firewall and try to access the same page and see if it works.


gpan667788 Thu, 12/03/2009 - 13:59
User Badges:

Hello KS,

Really appreciate for your reply.

Basically I did not the ip address for the testing; I was using the DNS name of the website for the test and it translate to the same IP address. (it also showed up the same IP public ip addresses in both firewalls ASA5510 and PIX).

1. the following is the a trace from the location has saA error message:


Tracing route to []
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms 
  2     1 ms     1 ms     1 ms 
  3     1 ms    <1 ms    <1 ms
  4     2 ms     1 ms     1 ms []
  5     2 ms     1 ms     1 ms []
  6     1 ms     1 ms     1 ms []
  7     1 ms     1 ms     1 ms
  8    77 ms     3 ms   213 ms [
  9    69 ms   217 ms     2 ms [
10   165 ms   193 ms    27 ms [154.54.29.
11   103 ms   103 ms   103 ms [
12   112 ms   112 ms   112 ms [130.117.1.
13   121 ms   121 ms   121 ms [130.117.0.
14   122 ms   122 ms   122 ms
15   112 ms   112 ms   112 ms []
16   111 ms   111 ms   111 ms []
17   111 ms   111 ms   111 ms []
18 []  reports: Destination net unreac

Trace complete.

2. this trace is from the location can view the website:


Tracing route to []
over a maximum of 30 hops:

  1     2 ms    <1 ms     1 ms 
  2     1 ms    <1 ms    <1 ms []
  3     1 ms    <1 ms    <1 ms  GigabitEthernet5-0.GW1.CHI13.ALTER.NET [157.130.
  4     1 ms    <1 ms    <1 ms []
  5    27 ms    27 ms    28 ms []
  6    27 ms    27 ms    26 ms  so-1-0-0.IL2.NYC12.ALTER.NET []
  7   112 ms   112 ms   112 ms  so-1-0-0.XT1.DUB2.ALTER.NET []
  8   112 ms   112 ms   105 ms [158.43.
  9     *        *  reports: Destination net unreachable.

Trace complete.

I don't understand why both destinations are unreachable but one can see and another cannot. It looks like the first traceroute is a routing or BGP peering issue. But I don't understand why the second one is working.

KS, also I don't understand what do you want me to test? You mentioned "Take that same IP address and use that to translate the inside host on the firewall and try to access the same page and see if it works."

thanks again for all your help!


Kureli Sankar Thu, 12/03/2009 - 14:49
User Badges:
  • Cisco Employee,

Now, this is traceroute through the firewall. That is completely diff from not being able to access the website.

You need to allow traceroute through the firewall. Pls. check this link and add the necessary inspection and allow icmp time exceeded and unreachable to come back in for trace to complete.

Coming to what I was asking you to try is this.

1. You mentioned you were able to access the website by name on the outside correct? You were uisng a pc or laptop for this test. What IP address did you give this laptop? Some public IP address correct? I suggested to use the same IP address on the firewall to translate the inside host and see if the same website works. For example on the inside host behind the firewall if you were to go to it should show you the same IP address that you gave the PC/laptop to test from the outside.

2. It appears like the website on the internet selectively responds back to certain IP addresses but not to others.  We have seen cases like this.

Give that a shot and let me know.



This Discussion