I have an ASA running 8.6(2) and we started seeing an issue with one website last week where users reported that it was operating 'slowly' and sometimes they wouldn't get a connection at all [Page cannot be displayed]. Looking at our firewall and doing some captures has me stumped, or at least has led me to the conclusion that I've done all the troubleshooting I can on the firewall, with captures and so on (although my next step is to check out the asp-drop capture and search for the IP).
here are my findings:
1. I set up inside and outside capture. Inside was from internal IP to 'any', outside capture was 'external NAT address' <-> any. While testing, I see 3 attempts to sent the initial request to 188.8.131.52:443 from our inside address and the 3 attempted leaving our outside interface NAT->184.108.40.206:443, and nothing back. After 3rd attempted on capture, they get the 404 on browser end.
2. filtering ASDM logging for 220.127.116.11 while running this, I get the various 'building connection' messages for when the site works, and I see two-way data on the capture and the ASDM eventually reports a 'TCP Reset-I' to kill the flow when done - all is good. When I get the 404 though, the log reports 'Teardown ...<details>..... SYN Timeout'.
I think that the issue is that either the remote end is not sending a SYN-ACK to my request, either at all, or in time. Or something on the internet or remote network is dropping my packets or dropping the replies.
Does this sound right? Anything else to check? This happens on static NAT and when using PAT.. is there a way to increase the 30 second limit for when the ASA gives up and then tears down the connection reporting 'SYN Timeout'? it would be good to increase this to 60 seconds to see if it's just a delay or something??
Thanks. I saw a Cisco article while I was browsing and set this on the default/class-default. I see it now waits 1 minute before timing the connection out.
We still see several failures when trying to connect to the website, apart from the steps I have tried above (and i've now check my asp-drop capture and the IP is not in there when we're trying to make a connection).. any other thoughts?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...