05-25-2012 12:08 PM - edited 03-11-2019 04:11 PM
Hello,
I have WiFi device (host 10.6.16.21) which needs to connect to remote server (172.25.20.26 on TCP port 3613) over L2L VPN tunnel. I see that the device is attempting connection, but it is being reset:
%ASA-6-302014: Teardown TCP connection 21757966 for outside:172.26.20.25/3613 to inside:10.6.16.21/49164 duration 0:00:05 bytes 72 TCP Reset-I
I'm trying to find out what device is sending the reset packet and so I used packet capture on inside int:
capture in-cap interface inside match tcp host 10.6.16.21 host 172.26.20.25 eq 3613
Could you help me to understand why the session is being reset...below's the result of the packet capture:
sh capture in-cap
619 packets captured
1: 14:22:19.201008 172.26.20.25.3613 > 10.6.16.21.49276: P 3368582700:3368582748(48) ack 2542480154 win 65523
2: 14:22:21.960933 10.6.16.21.49277 > 172.26.20.25.3613: S 2543090958:2543090958(0) win 10000 <mss 1460,nop,wscale 0>
3: 14:22:21.988321 172.26.20.25.3613 > 10.6.16.21.49277: S 1222713806:1222713806(0) ack 2543090959 win 16384 <mss 1380,nop,wscale 0>
4: 14:22:21.996149 10.6.16.21.49277 > 172.26.20.25.3613: . ack 1222713807 win 10000
5: 14:22:22.023344 172.26.20.25.3613 > 10.6.16.21.49276: F 3368582748:3368582748(0) ack 2542480154 win 65523
6: 14:22:22.027769 172.26.20.25.3613 > 10.6.16.21.49277: P 1222713807:1222713819(12) ack 2543090959 win 65535
7: 14:22:22.029798 10.6.16.21.49276 > 172.26.20.25.3613: R 2542480154:2542480154(0) ack 3368582749 win 0
8: 14:22:22.032758 10.6.16.21.49277 > 172.26.20.25.3613: . ack 1222713819 win 9988
9: 14:22:22.034620 10.6.16.21.49277 > 172.26.20.25.3613: P 2543090959:2543090971(12) ack 1222713819 win 10000
10: 14:22:22.059719 172.26.20.25.3613 > 10.6.16.21.49277: P 1222713819:1222713867(48) ack 2543090959 win 65535
11: 14:22:22.063335 10.6.16.21.49277 > 172.26.20.25.3613: . ack 1222713867 win 9952
12: 14:22:22.216663 172.26.20.25.3613 > 10.6.16.21.49277: . ack 2543090971 win 65523
13: 14:22:27.727684 10.6.16.21.49278 > 172.26.20.25.3613: S 2544029455:2544029455(0) win 10000 <mss 1460,nop,wscale 0>
14: 14:22:27.755072 172.26.20.25.3613 > 10.6.16.21.49278: S 1364660650:1364660650(0) ack 2544029456 win 16384 <mss 1380,nop,wscale 0>
15: 14:22:27.758459 10.6.16.21.49278 > 172.26.20.25.3613: . ack 1364660651 win 10000
16: 14:22:27.786580 172.26.20.25.3613 > 10.6.16.21.49277: F 1222713867:1222713867(0) ack 2543090971 win 65523
17: 14:22:27.791737 10.6.16.21.49277 > 172.26.20.25.3613: R 2543090971:2543090971(0) ack 1222713868 win 0
18: 14:22:27.792897 172.26.20.25.3613 > 10.6.16.21.49278: P 1364660651:1364660663(12) ack 2544029456 win 65535
19: 14:22:27.796833 10.6.16.21.49278 > 172.26.20.25.3613: . ack 1364660663 win 9988
20: 14:22:27.800053 10.6.16.21.49278 > 172.26.20.25.3613: P 2544029456:2544029468(12) ack 1364660663 win 10000
21: 14:22:27.823733 172.26.20.25.3613 > 10.6.16.21.49278: P 1364660663:1364660711(48) ack 2544029456 win 65535
22: 14:22:27.827746 10.6.16.21.49278 > 172.26.20.25.3613: . ack 1364660711 win 9952
<--- More --->
23: 14:22:27.950085 172.26.20.25.3613 > 10.6.16.21.49278: . ack 2544029468 win 65523
24: 14:22:42.815204 172.26.20.25.3613 > 10.6.16.21.49278: P 1364660711:1364660715(4) ack 2544029468 win 65523
25: 14:22:44.757224 172.26.20.25.3613 > 10.6.16.21.49278: P 1364660711:1364660715(4) ack 2544029468 win 65523
26: 14:22:48.771322 172.26.20.25.3613 > 10.6.16.21.49278: P 1364660711:1364660715(4) ack 2544029468 win 65523
27: 14:22:56.717797 172.26.20.25.3613 > 10.6.16.21.49278: P 1364660711:1364660715(4) ack 2544029468 win 65523
28: 14:22:56.776235 10.6.16.21.49278 > 172.26.20.25.3613: R 2544029468:2544029468(0) ack 1364660716 win 0
29: 14:22:56.776266 172.26.20.25.3613 > 10.6.16.21.49278: P ack 2544029468 win 65523
30: 14:22:56.789784 10.6.16.21.49278 > 172.26.20.25.3613: R 2544029468:2544029468(0) ack 1364660716 win 0
31: 14:22:56.789815 172.26.20.25.3613 > 10.6.16.21.49278: P ack 2544029468 win 65523
32: 14:22:56.853517 10.6.16.21.49278 > 172.26.20.25.3613: R 2544029468:2544029468(0) ack 1364660716 win 0
33: 14:22:56.853547 172.26.20.25.3613 > 10.6.16.21.49278: P ack 2544029468 win 65523
34: 14:22:56.904341 10.6.16.21.49278 > 172.26.20.25.3613: R 2544029468:2544029468(0) ack 1364660716 win 0
35: 14:22:56.904372 172.26.20.25.3613 > 10.6.16.21.49278: P ack 2544029468 win 65523
36: 14:22:56.907439 10.6.16.21.49278 > 172.26.20.25.3613: R 2544029468:2544029468(0) ack 1364660716 win 0
37: 14:22:56.907469 172.26.20.25.3613 > 10.6.16.21.49278: P ack 2544029468 win 65523
Thank you,
forman
05-25-2012 12:54 PM
The reset seems to be sent by your wifi device:
7: 14:22:22.029798 10.6.16.21.49276 > 172.26.20.25.3613: R 2542480154:2542480154(0) ack 3368582749 win 0
So you might just need to verify why is it terminating the request. For a better understanding, download the packets in pcap format and view in wireshark
Thanks,
Varun Rao
Security Team,
Cisco TAC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide