Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

connection not established

While troubleshooting on a problem related to communication problem between two systems with a firewall in between , it was observed that there were no connections seen in connection table ( as seen usually ) , although regular builtup & tear down connection were seen appearing in log.

The file transfer is not working for some reason. ASA shows the connection of teardown and builtup for this but nothing appears in the sh conn table.

In such a scenario does it mean that destination system isnt responding to the query and thus even though connection is allowed thru the ASA ( with rules in place) , connection table wont show it unless it is successful.

Please help me understand this and any other way to troubleshoot such problems.

Thanks in advance!

1 ACCEPTED SOLUTION

Accepted Solutions

Re: connection not established

Hi,

If there are no connections showing on the ASA most likely traffic is not making its way through.

Are you using NAT, do you have ACLs restricting traffic?

Federico.

6 REPLIES

Re: connection not established

Hi,

If there are no connections showing on the ASA most likely traffic is not making its way through.

Are you using NAT, do you have ACLs restricting traffic?

Federico.

Community Member

Re: connection not established

Thanks, NAT is not involved in this case & acl's for the needed traffic are already existing.

Re: connection not established

Aren't the connections being denied by the existing ACLs?

That would explain why you see torn down connections and why there are no connections created in the 'sh conn''

Federico.

Community Member

Re: connection not established

Rules are configured for these connections and there were no deny sequence seen for these traffic.

i see following messages when checked:

6|Jun 15 2010 12:05:13|302013: Built inbound TCP connection 12379739847776492194 for FW:10.0.122.8/3397 (10.0.122.8/3397) to WFM:10.51.100.107/443 (10.51.100.107/443)
6|Jun 15 2010 12:05:13|302014: Teardown TCP connection 12379739847776492194 for FW:10.0.122.8/3397 to WFM:10.51.100.107/443 duration 0:00:00 bytes 3715 TCP FINs

tcp FINS are sometimes seen replaced with Reset-0.

Is these kind of built/teardown connection normal with tcp within short timespan.

Thanks for your help!

{EDIT} : So sh conn would only give connections if the rules are configured for the traffic else it wont show . is that correct, just to understand?

Cisco Employee

Re: connection not established

Since it is already torn down, you will not see it in connections.

Even if you have allowed for the connection flow, and it is built, but if it is torn down straight away, then it will no longer be in "show connection" output.

You will need to find out why the fin or reset is happening for that specific flow.

What does the configuration look like?

Have you tried packet tracer?

You are doing https traffic. Is the traffic directed to the interface ip address of the firewall, and you have also asdm or webvpn configured for the interface?

Community Member

Re: connection not established

Thanks for your help, the problem got resolved lately. It was related to some new process on the server which negated the connections.

Thanks again for ur valuable inputs!

193
Views
4
Helpful
6
Replies
CreatePlease to create content