Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

asp drop - First TCP packet not SYN (tcp-not-syn)

I have many tcp-not-syn:

First TCP packet not SYN (tcp-not-syn)                                46841247

For sure it is not a routing issue cause ie 10.32.3.230 usually can connect to 192.168.16.2 which is a proxy server. Sometimes it can't and I get the

tcp-not-syn error. So after a capture I got the following,

ASA# capture asp-drop type asp-drop tcp-not-syn

ASA# sh capture asp-drop | i 10.32.3.230

2397: 16:11:31.904295 802.1Q vlan#8 P0 10.32.3.230.2322 > 192.168.16.2.8080: R 556133793:556133793(0) win 0

2398: 16:11:31.905272 802.1Q vlan#8 P0 10.32.3.230.2322 > 192.168.16.2.8080: R 556133793:556133793(0) win 0

2400: 16:11:31.908583 802.1Q vlan#8 P0 10.32.3.230.2320 > 192.168.16.2.8080: R 55902087:55902087(0) win 0

2401: 16:11:31.908613 802.1Q vlan#8 P0 10.32.3.230.2320 > 192.168.16.2.8080: R 55902087:55902087(0) win 0

2402: 16:11:31.908629 802.1Q vlan#8 P0 10.32.3.230.2320 > 192.168.16.2.8080: R 55902087:55902087(0) win 0

2403: 16:11:31.908659 802.1Q vlan#8 P0 10.32.3.230.2320 > 192.168.16.2.8080: R 55902087:55902087(0) win 0

2404: 16:11:31.908766 802.1Q vlan#8 P0 10.32.3.230.2320 > 192.168.16.2.8080: R 55902087:55902087(0) win 0

2405: 16:11:31.908796 802.1Q vlan#8 P0 10.32.3.230.2320 > 192.168.16.2.8080: R 55902087:55902087(0) win 0

2406: 16:11:31.908812 802.1Q vlan#8 P0 10.32.3.230.2320 > 192.168.16.2.8080: R 55902087:55902087(0) ack 4258924744 win 0

2407: 16:11:31.909071 802.1Q vlan#8 P0 10.32.3.230.2320 > 192.168.16.2.8080: R 55902087:55902087(0) win 0

2408: 16:11:31.909102 802.1Q vlan#8 P0 10.32.3.230.2320 > 192.168.16.2.8080: R 55902087:55902087(0) win 0

2409: 16:11:31.909132 802.1Q vlan#8 P0 10.32.3.230.2320 > 192.168.16.2.8080: R 55902087:55902087(0) win 0

2410: 16:11:31.910490 802.1Q vlan#8 P0 10.32.3.230.2321 > 192.168.16.2.8080: R 1839687588:1839687588(0) win 0

2411: 16:11:31.910521 802.1Q vlan#8 P0 10.32.3.230.2321 > 192.168.16.2.8080: R 1839687588:1839687588(0) win 0

2412: 16:11:31.910551 802.1Q vlan#8 P0 10.32.3.230.2321 > 192.168.16.2.8080: R 1839687588:1839687588(0) win 0

2413: 16:11:31.910566 802.1Q vlan#8 P0 10.32.3.230.2321 > 192.168.16.2.8080: R 1839687588:1839687588(0) win 0

2414: 16:11:31.911192 802.1Q vlan#8 P0 10.32.3.230.2321 > 192.168.16.2.8080: R 1839687588:1839687588(0) win 0

2415: 16:11:31.911207 802.1Q vlan#8 P0 10.32.3.230.2321 > 192.168.16.2.8080: R 1839687588:1839687588(0) win 0

2416: 16:11:31.911238 802.1Q vlan#8 P0 10.32.3.230.2321 > 192.168.16.2.8080: R 1839687588:1839687588(0) win 0

2417: 16:11:31.915205 802.1Q vlan#8 P0 10.32.3.230.2321 > 192.168.16.2.8080: R 1839687588:1839687588(0) win 0

2418: 16:11:31.915235 802.1Q vlan#8 P0 10.32.3.230.2321 > 192.168.16.2.8080: R 1839687588:1839687588(0) win 0

2419: 16:11:31.915296 802.1Q vlan#8 P0 10.32.3.230.2321 > 192.168.16.2.8080: R 1839687588:1839687588(0) win 0

2420: 16:11:31.915327 802.1Q vlan#8 P0 10.32.3.230.2320 > 192.168.16.2.8080: R 55902087:55902087(0) win 0

2421: 16:11:31.915357 802.1Q vlan#8 P0 10.32.3.230.2320 > 192.168.16.2.8080: R 55902087:55902087(0) win 0

2422: 16:11:31.915815 802.1Q vlan#8 P0 10.32.3.230.2320 > 192.168.16.2.8080: R 55902087:55902087(0) win 0

2432: 16:11:33.102426 802.1Q vlan#8 P0 10.32.3.230.2317 > 192.168.16.2.8080: R 4189536219:4189536219(0) win 0

2433: 16:11:33.102457 802.1Q vlan#8 P0 10.32.3.230.2317 > 192.168.16.2.8080: R 4189536219:4189536219(0) win 0

2434: 16:11:33.102487 802.1Q vlan#8 P0 10.32.3.230.2317 > 192.168.16.2.8080: R 4189536219:4189536219(0) win 0

syslog message says:

deny tcp (no connection) from 10.32.3.78/1646 to 192.168.16.2/8080 flags RST on interface inside

The question is how can I define it is:

1. the proxy 192.168.16.2 itself is too slow responding to the syn packet sent from the client 10.32.3.78

2. a reset is sent by the proxy 192.168.16.2 and then forwarded by the ASA to the client 10.32.3.78

3. an idle timeout tuning needed on firewall

4. anything else

Thanks

1 REPLY
Cisco Employee

asp drop - First TCP packet not SYN (tcp-not-syn)

Hi,

Since it is a RST packet coming from client IP destined to proxy server IP on ASA's interface (of course with no associated connection in ASA state table), ASA will drop it as first tcp packet not syn.

When a packet arrives on ASA, it checks to see if it belongs to an existing flow, if not, it has to be a new connection but since SYN flag is not set here, it gets dropped under above reason code.

Now, you would probabaly want to capture the entire traffic stream from client to server on ASA interface to understand what caused those resets. May be client sent some new requests (SYN's) and proxy was too busy to respond. Again, complete capture in pcap would be needed for further analysis.

-

Regards,

Sourav Kakkar

2461
Views
0
Helpful
1
Replies
CreatePlease to create content