Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1156
Views
0
Helpful
10
Replies

ASA - ICMP works on a L2L tunnel but TCP fails.

Go to solution
borravishnu
Level 1
Level 1

‎07-12-2013 09:09 AM - edited ‎03-11-2019 07:11 PM

All,

I have just started to work with the ASA's and I have a couple of problems with two 5510 8.4(1) ASA's supporting a L2L tunnel.

Problem-1:

-----------------

Below  is the topology and currently the only config on these ASA's is what is  required to get the LAN2LAN tunnel setup and nothing more. ASA01 and ASA02 are the tunnel termination devices.

LAN A->Routing device->ASA-01 ----->Internet<------------ASA-02<-Routing device<-LAN2

Below is what is working

- Tunnel is established between the ASA's.

- I can ping from LAN A to LAN B and viceversa.

Below is not what is working

- I cannot RDP from a device in LAN A to LAN B and vice versa.

What we found in troubleshooting when we initiate a RDP session from a server in LAN-A to Server in LAN-B.

- The packet capture on  ASA - A shows that the SYN leaves the ingress(LAN interface).

-  The packet capture on ASA - B shows that the SYN is leaving the LAN interface.

-  Dont see a SYN-ACK on ASA-B. First we thought there might be a  different reason(detailed below as problem-2) but we dont see the  syn-ack on ASA-A either.

- Doing a asp-drop capture on ASA-B we saw that the SYN,ACK from server in LAN-B is being dropped with the following message

Drop-reason: (tcp-not-syn) First TCP packet not SYN

Any ideas on why ASA-B doesnt treat this is as a established tcp session?

Problem -2

-----------------

On the packet capture wizard in ASDM if I do a  capture on the LAN interface of the ASA02 I can only see packets  leaving the ASA towards the LAN but I do not see anything coming back  into the interface from the LAN interface. This works the same whether I  do a ICMP or a TCP session(RDP).

For example - Ping from a server on LAN A to LAN B

- On ASA01

The packet capture wizard shows both icmp-echo from LAN-A and icmp-reply from LAN-B

- On ASA02

The packet capture wizard shows icmp-echo from LAN-A both not the icmp-reply from LAN-B.

I am not sure what the reason for both the problems above and the reasons might just be that my skill level with ASA's are just not there yet. Any guidance will be great appreciated.

Thanks,

Vishnu

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎07-12-2013 10:50 AM

Hello Vishnu,

Any ideas on why ASA-B doesnt treat this is as a established tcp session?

This is happening because the ASA is not seeing the entire 3 way hanshake, Are you sure all the packets are going across the ASA??? I would recommend you to do captures on both inside interfaces just for RDP traffic and attach them to this post so I can correlate to determine if indeed the ASA is receving what it needs.

On the packet capture wizard in ASDM if I do a  capture on the LAN interface of the ASA02 I can only see packets  leaving the ASA towards the LAN but I do not see anything coming back  into the interface from the LAN interface. This works the same whether I  do a ICMP or a TCP session(RDP).

That's exactly the reason of why this problem is happening, Good job correlating the facts,

Resolution of the issues:

I would say the problem is on the Routing device between ASA-2 and the LAN-2...

Make sure the Routing device knows that in order to reach the LAN-1 it needs to send the traffic back to the ASA-2 as somehow this traffic is not making it on the right interface,

Remember to rate all of the helpful posts. That's as important as a Thanks.
Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎07-12-2013 10:50 AM

Hello Vishnu,

Any ideas on why ASA-B doesnt treat this is as a established tcp session?

This is happening because the ASA is not seeing the entire 3 way hanshake, Are you sure all the packets are going across the ASA??? I would recommend you to do captures on both inside interfaces just for RDP traffic and attach them to this post so I can correlate to determine if indeed the ASA is receving what it needs.

On the packet capture wizard in ASDM if I do a  capture on the LAN interface of the ASA02 I can only see packets  leaving the ASA towards the LAN but I do not see anything coming back  into the interface from the LAN interface. This works the same whether I  do a ICMP or a TCP session(RDP).

That's exactly the reason of why this problem is happening, Good job correlating the facts,

Resolution of the issues:

I would say the problem is on the Routing device between ASA-2 and the LAN-2...

Make sure the Routing device knows that in order to reach the LAN-1 it needs to send the traffic back to the ASA-2 as somehow this traffic is not making it on the right interface,

Remember to rate all of the helpful posts. That's as important as a Thanks.
Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
borravishnu
Level 1
Level 1
In response to Julio Carvajal

‎07-12-2013 11:06 AM

I will upload the packets captures in a few. I have a feeling that there is something not right on the ASA-02 side which is not evident to me till now.

Regarding the resolution you proposed.

- I do not believe that there are any routing issues on either LAN's as I can ping between LAN-A and LAN-B through the tunnel successfully.

I will clarify a little bit more below about the packet capture wizard problem

- Server in LAN-A pings server in LAN-B.

- The packet capture wizard in ASA01 shows both request and reply in the capture.

- The packet capture wizard in ASA02 only shows the request and doesnt show the reply even though it does send the reply through the tunnel which is seen in ASA01's capture.

0 Helpful

Go to solution
borravishnu
Level 1
Level 1
In response to borravishnu

‎07-12-2013 11:16 AM

asp-dropped shows the syn-ack is dropped on the ASA02. This time with no reason given.           

78: 17:45:07.103479 10.206.130.200.3389 > 10.209.2.24.60775: S 3992834937:3992834937(0) ack 4131467397 win 8192

  79: 17:45:13.119683 10.206.130.200.3389 > 10.209.2.24.60775: S 3994384918:3994384918(0) ack 4131467397 win 8192

15364013-Ingress ASA02.pcap.zip
0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to borravishnu

‎07-12-2013 11:18 AM

Hello,

Okey but we are seeing the packet go out on the inside interface,

Where is the SYN-ACK?

There is no reply from the server,

Could you do it again (Once you get the replies)

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
borravishnu
Level 1
Level 1
In response to borravishnu

‎07-12-2013 11:34 AM

Hi Julio,

Thanks for the help!!!

I have confirmed that the server on LAN-B sends the SYN-ACK. Unfortunately the issue is because ASA-02 drops it. you can see it in asp-drops capture on ASA-B, I have pasted it as text in my previous post.

Regards,

Vishnu

0 Helpful

Go to solution
borravishnu
Level 1
Level 1
In response to borravishnu

‎07-12-2013 12:02 PM

Hi Julio,

Looks like there was a routing issue on the LAN-B side which was routing a particular ip on LAN-A to mgmt interface of the ASA02. Unfortunately that was the IP we were testing from.

Thanks for the help.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to borravishnu

‎07-12-2013 12:18 PM

Hello Vishnu,

As I said on my first post Routing issue on Site B,

Please mark the question as answered and rate all of the helpful posts

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to borravishnu

‎07-14-2013 06:23 PM

Hello Vishnu,

Any other question or can I mark it as answered,

Regards

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
vishnuborra1
Level 1
Level 1
In response to Julio Carvajal

‎07-15-2013 08:00 AM

Thanks for the help. Please mark it as answered.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to vishnuborra1

‎07-15-2013 08:44 AM

Hello Vishnu,

I do not know what I said I can close it

As you open the discussion you will be the only one being able to mark it as answered,

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card