Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
377
Views
0
Helpful
4
Replies

Can't connect to the Application using ASA5520

zakid
Level 1
Level 1

‎10-19-2010 11:34 AM - edited ‎03-11-2019 11:56 AM

One of my customer, I configured Inside Zone as sever hosted and in DMZ zone clients located. configuration is workig fine.

when I telnet from client to server as port 80, 25392 and 25492 connections established successfully.

see the test result.

C:\>netstat

Active Connections

  Proto  Local Address            Foreign Address             State
  TCP    laptop:4986              10.102.10.2:25392         ESTABLISHED
  TCP    laptop:4987               10.102.10.2:80             ESTABLISHED.    

and also I can see the connection established in firewall.

But, If I run the application from the client, i can see the same connection established in firewall. but through netstat is not, see the test result.

C:\>netstat

Active Connections

  Proto  Local Address            Foreign Address             State

  TCP    laptop:4986              10.102.10.2:25392         TIME_WAIT

  TCP    laptop:4987              10.102.10.2:80             ESTABLISHED.

could any one  can support on the issue, is much appricated.

regards,

Basha.

Labels:
0 Helpful
4 Replies 4

Maykol Rojas
Cisco Employee
Cisco Employee

‎10-19-2010 11:44 AM

Hello Basha,

The timewait is a state on every tcp connection prior to the closure of it. Can you run the logs when the conection is being build until it goes down? Can you do a show conn detail | inc 10.102.10.2 to check what is the status of the connection?

Cheers

Mike

Mike
0 Helpful

zakid
Level 1
Level 1
In response to Maykol Rojas

‎10-19-2010 12:06 PM

thanks for your prompt reply.

kindly see the sh conn status:

TCP dmz 10.102.212.83:8541 inside 10.102.10.2:80, idle 0:00:00, bytes 394, flags UIO

TCP dmz 10.102.212.83:8542 inside 10.102.10.2:25392, idle 0:00:00, bytes 2573, flags UIO

regards,.

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to zakid

‎10-19-2010 03:58 PM

When you monitor the status of the session with the logs at debuging level, what is the reason for torn down? When you took this output, on the computer the connection was on timewait as well ?

Let us know

Mike

Mike
0 Helpful

sainair
Level 1
Level 1

‎10-19-2010 05:18 PM

Basha,

If i understand the situation, the configuration works fine, but when you do a netstat on the client in the DMZ you see a TIME_WAIT for connection for the foreign address of the server (10.102.10.2:25392) to the specified port no. on which the application works. If the configuration is working fine, then the TCP status that you are seeing is the way how the application works. What is this application, as incase if the configuration is working fine, and you dont see the communication fail, but only when you do the netstat you see the TIME_WAIT, then you may want to check the application works.

TIMED_WAIT Client enters this state after active close.

May be the time you captured the netstat, the application went into the TIME_WAIT state.

I would say after the configuration is done, telnet should tell you if the ports are open, netstat is basically a local command on the client to check the TCP/UDP port status.

Let me know, if the application is not working through the firewall.

HTH,

Sai

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card