Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Intra-Interface-Traffic fails at first try - second try works

Hi,

we are running two ASA5550 as fail-over.

Everything works fine. But there is still a little "bug".

[...]

same-security-traffic permit intra-interface

[...]

is enabled.

Now, let's open an PostgreSQL-Connection from 10.10.1.22 to 10.10.1.8 (same subnet, same interface "IT").

First try (using psql for a connection), I get

[...]

11:27:56|106015|10.10.1.22|51019|10.10.1.8|5432|Deny TCP (no connection) from 10.10.1.22/51019 to 10.10.1.8/5432 flags RST  on interface IT

11:27:56|302014|10.10.1.22|51019|10.10.1.8|5432|Teardown TCP connection 290800318 for IT:10.10.1.22/51019 to IT:10.10.1.8/5432 duration 0:00:00 bytes 0 TCP Reset-O

11:27:56|302013|10.10.1.22|51019|10.10.1.8|5432|Built inbound TCP connection 290800318 for IT:10.10.1.22/51019 (10.10.1.22/51019) to IT:10.10.1.8/5432 (10.10.1.8/5432)

11:27:53|302014|10.10.1.22|51019|10.10.1.8|5432|Teardown TCP connection 290800140 for IT:10.10.1.22/51019 to IT:10.10.1.8/5432 duration 0:00:00 bytes 0 TCP Reset-O

11:27:53|302013|10.10.1.22|51019|10.10.1.8|5432|Built inbound TCP connection 290800140 for IT:10.10.1.22/51019 (10.10.1.22/51019) to IT:10.10.1.8/5432 (10.10.1.8/5432)

[...]

in the ASA log.

psql now runs into a time out.

Starting the second try, the ASA doesn't report any packets and the connection is established.

Everyone's tags (6)
1 REPLY
Cisco Employee

Intra-Interface-Traffic fails at first try - second try works

Phillip,

Based on the syslogs the reset packet is coming from another device "Reset-O". The best way to troubleshoot this issue will be applying captures on the IT interface in order to track the source MAC of the reset and to have a better picture of the traffic flow.

Luis Silva

Luis Silva "If you need PDI (Planning, Design, Implement) assistance feel free to reach us" http://www.cisco.com/web/partners/tools/pdihd.html
263
Views
0
Helpful
1
Replies
CreatePlease to create content