Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Microsoft TMG Behind Cisco ASA

We have an web publishing services running through TMG and ofcourse its through cisco firewall. 25 to 30 www services published sofar no issue. recently i have noticed and occured some weared things. meaning, I can see traffic from my ISP to MY perimeter router and even in my firewall for that published web site, but connection not essablished successfully. when I enquired TMG team, even they did not see any traffic to that. Traffic is reaching up to firewall. so what could be the problem. aftersome time it established successfully, without any human intervension.

Note: I have double check routing and recreated the ACL rules and nat for that particular site.

if some one can put me in right direction is much appricated.

thanks & regards,

6 REPLIES

Microsoft TMG Behind Cisco ASA

Hello Zakid,

For this kind of scenarios where nothing makes sense the best way to troubleshoot it is via captures (as someone said: Captures don't lie) so we can determine where is the traffic being denied or getting stuck.

Do a capture on the ingress and egress interface of the ASA to make sure it's not getting denied there.

Also the logs when you try to connect will be really helpful,

Regards

Julio

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Microsoft TMG Behind Cisco ASA

thanks for prompt reply,

please find the capture log, real IPs replaced with X for security reason.

TCP outside X.X.X.X:43074 dmz1 X.X.X.X:443, idle 0:00:00, bytes 0, flags SaAB

TCP outside X.X.X.X:54833 dmz1 X.X.X.X:443, idle 0:00:02, bytes 0, flags SaAB

TCP outside X.X.X.X:50612 dmz1 X.X.X.X:443, idle 0:00:06, bytes 0, flags SaAB

TCP outside X.X.X.X:50611 dmz1 X.X.X.X:443, idle 0:00:06, bytes 0, flags SaAB

TCP outside X.X.X.X:50613 dmz1 X.X.X.X:443, idle 0:00:06, bytes 0, flags SaAB

TCP outside X.X.X.X:44097 dmz1 X.X.X.X:443, idle 0:00:01, bytes 0, flags SaAB

TCP outside X.X.X.X:27200 dmz1 X.X.X.X:443, idle 0:00:02, bytes 0, flags SaAB

any finding please....

Super Bronze

Microsoft TMG Behind Cisco ASA

Hi,

ASA has seen the initial TCP SYN from the host on the "outside"

But thats it.

The target host/server is no replying to that TCP SYN with TCP SYN ACK so the connections timeout.

- Jouni

Microsoft TMG Behind Cisco ASA

Hello Zakid,

Okey, those are the logs you have but are you sure those are the only ones related to the connection,

Do the following

cap capout interface outside match tcp host X.X.X.X (outside client) host y.y.y.y (public IP server) eq 443

cap capin interface inside match tcp host x.x.x.x (outside client) host y.y.y.y (private IP server) eq 443

cap asp type-asp drop all circular-buffer

Then try to connect once....

Afterwards share:

show cap capin

show cap capout

show cap asp | include x.x.x.x (outside client)

Regards

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Microsoft TMG Behind Cisco ASA

Zakid,

Did you find the solution for this issue. I am running into the same issue.

Thanks,

Vikas

Microsoft TMG Behind Cisco ASA

Proceed with captures as requested on my last post

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
1000
Views
0
Helpful
6
Replies