Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA sending RST-ACK to the server..!!

Hello everyone,

I have recently started learning about ASAs and I had an issue while deploying an ASA. Previously we had a router which was acting as firewall and I was assigned the task to replace it with  ASA 5512. I have configured the access rules and everything. But when I bring up the ASA we were unable to reach the mail server from outside. when I do wireshark on the mail server it say that

6    0.250255000    X.X.X.2    Y.Y.Y.15    TCP    74    40092 > http [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=344785118 TSecr=0 WS=64

7    0.250319000    Y.Y.Y.15    X.X.X.2    TCP    74    http > 40092 [SYN, ACK] Seq=0 Ack=1 Win=8192 [TCP CHECKSUM INCORRECT] Len=0 MSS=1460 WS=256 SACK_PERM=1 TSval=181293696 TSecr=344785118

8    0.252076000    X.X.X.2    Y.Y.Y.15    TCP    60    40092 > http [RST, ACK] Seq=1 Ack=1 Win=524288 Len=0

where X.X.X.2 is the external Ip from which I was trying to open mail server on port 80 and Y.Y.Y.15 is my mail server.

and On the ASA it says

6|Oct 01 2013|19:08:31|106015|70.197.81.228|1305|Y.Y.Y.85|80|Deny TCP (no connection) from 70.197.81.228/1305 to Y.Y.Y.85/80 flags PSH ACK  on interface External_Interface

6|Oct 01 2013|19:08:31|106015|70.197.81.228|1305|Y.Y.Y.85|80|Deny TCP (no connection) from 70.197.81.228/1305 to Y.Y.Y.85/80 flags PSH ACK  on interface External_Interface

6|Oct 01 2013|19:08:31|106015|70.197.81.228|1305|Y.Y.Y.85|80|Deny TCP (no connection) from 70.197.81.228/1305 to Y.Y.Y.85/80 flags FIN ACK  on interface External_Interface

6|Oct 01 2013|19:08:31|106015|70.197.81.228|1305|Y.Y.Y.85|80|Deny TCP (no connection) from 70.197.81.228/1305 to Y.Y.Y.85/80 flags FIN ACK  on interface External_Interface

in here Y.Y.Y.85 is external Ip address for my mailserver

I have tried tcp state bypass but didn't work. Can anyone Please help me with this....!! 

Thanks in advance...

Raj

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

ASA sending RST-ACK to the server..!!

Have you run a packet-trace for the source and destination to see if it is showing any rules or NATs that would drop the traffic? 

Run something like this

packet-trace input outside tcp 10.10.10.2 1032 192.168.2.15 25

(using your IPs in the last comment)

and see if that shows any reason for it to be dropped or denied. 

Super Bronze

Re: ASA sending RST-ACK to the server..!!

Hi,

Well any routing related problem could be checked with simply following the routing tables on the L3 devices in the network and checking the network settings on the related host devices.

To be honest it would be way simpler to check the ASA configurations for any problems and also issue "packet-tracer" commands to simulate an incoming connection from external network to the server.

- Jouni

5 REPLIES
Super Bronze

ASA sending RST-ACK to the server..!!

Hi,

Log messages seem to point to a situation where the ASA is blocking a packet for a connection that doesnt exist on the ASA yet or has beeb removed from it before.

I think the ASA usually sends TCP Reset to the host when the ASA is configured to Reset a connection that is not allowed according to its ACLs.

I guess this might also be due to Asymmetric Routing. For example if the TCP SYN arrived to the server from some OTHER device than the ASA and the server then send traffic through its default gateway which would be ASA then ASA would drop the SYN, ACK since it never saw the original SYN

- Jouni

New Member

ASA sending RST-ACK to the server..!!

Hello Jouni,

Thank you for the reply. I don't think I have any asymmetric route. Can you please let me know how to look for an asymmetric route and more over when I captured asp-drop packets I found this

6: 14:40:39.724068 192.168.2.15.80 > 10.10.10.2.41828: S 1930943544:1930943544(0) ack 1214614617 win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule

7: 14:40:39.974269 192.168.2.15.80 > 10.10.10.2.41829: S 2640695216:2640695216(0) ack 2109706537 win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule

8: 14:40:45.724556 192.168.2.15.80 > 10.10.10.2.41828: S 1932490255:1932490255(0) ack 1214614617 win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule

9: 14:40:45.974375 192.168.2.15.80 > 10.10.10.2.41829: S 2642506900:2642506900(0) ack 2109706537 win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule

(Here 192.168.2.15 is my mailserver  and 10.10.10.2 is my external ip  I am testing it in the lab)

but I didn't mention any rule which blocks the packets.

--

Raj

New Member

ASA sending RST-ACK to the server..!!

Have you run a packet-trace for the source and destination to see if it is showing any rules or NATs that would drop the traffic? 

Run something like this

packet-trace input outside tcp 10.10.10.2 1032 192.168.2.15 25

(using your IPs in the last comment)

and see if that shows any reason for it to be dropped or denied. 

Super Bronze

Re: ASA sending RST-ACK to the server..!!

Hi,

Well any routing related problem could be checked with simply following the routing tables on the L3 devices in the network and checking the network settings on the related host devices.

To be honest it would be way simpler to check the ASA configurations for any problems and also issue "packet-tracer" commands to simulate an incoming connection from external network to the server.

- Jouni

New Member

ASA sending RST-ACK to the server..!!

thank you Jouni,

the issue was resolved. it was a nat rule which was not allowing the traffic.

--

Raj

4912
Views
0
Helpful
5
Replies