Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Receiving SYN Timeout on certain secure websites

A client I do work for reached out to me today with an odd issue.  There are a handful of secure websites they cannot reach from one location.  I checked the ASA logs and 30 seconds after the initial packet, the ASA receives a SYN timeout packet.  The ACK packet doesn't show up late, so that isn't the issue. I ran a packet capture between my laptop and one of the websites and this is the result:

 

42 packets captured

   1: 15:36:43.390131       10.100.32.78.59382 > 67.215.65.132.80: S 4041735143:4041735143(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
   2: 15:36:43.390375       10.100.32.78.59382 > 67.215.65.132.80: S 4041735143:4041735143(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
   3: 15:36:43.393763       10.100.32.78.59383 > 67.215.65.132.443: S 2635331600:2635331600(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
   4: 15:36:43.394037       10.100.32.78.59383 > 67.215.65.132.443: S 2635331600:2635331600(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
   5: 15:36:44.631055       10.100.32.78.59388 > 67.215.65.132.443: S 1503451964:1503451964(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
   6: 15:36:44.631360       10.100.32.78.59388 > 67.215.65.132.443: S 1503451964:1503451964(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
   7: 15:36:44.797901       10.100.32.78.59391 > 67.215.65.132.443: S 3672205703:3672205703(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
   8: 15:36:44.798191       10.100.32.78.59391 > 67.215.65.132.443: S 3672205703:3672205703(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
   9: 15:36:46.393335       10.100.32.78.59383 > 67.215.65.132.443: S 2635331600:2635331600(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
  10: 15:36:46.393610       10.100.32.78.59382 > 67.215.65.132.80: S 4041735143:4041735143(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
  11: 15:36:47.635816       10.100.32.78.59388 > 67.215.65.132.443: S 1503451964:1503451964(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
  12: 15:36:47.792927       10.100.32.78.59391 > 67.215.65.132.443: S 3672205703:3672205703(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
  13: 15:36:52.390116       10.100.32.78.59383 > 67.215.65.132.443: S 2635331600:2635331600(0) win 8192 <mss 1460,nop,nop,sackOK>
  14: 15:36:52.391276       10.100.32.78.59382 > 67.215.65.132.80: S 4041735143:4041735143(0) win 8192 <mss 1460,nop,nop,sackOK>
  15: 15:36:53.629987       10.100.32.78.59388 > 67.215.65.132.443: S 1503451964:1503451964(0) win 8192 <mss 1460,nop,nop,sackOK>
  16: 15:36:53.790944       10.100.32.78.59391 > 67.215.65.132.443: S 3672205703:3672205703(0) win 8192 <mss 1460,nop,nop,sackOK>
  17: 15:37:16.036634       10.100.32.78.59412 > 67.215.65.132.443: S 348290702:348290702(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
  18: 15:37:16.036924       10.100.32.78.59412 > 67.215.65.132.443: S 348290702:348290702(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
  19: 15:37:16.286606       10.100.32.78.59413 > 67.215.65.132.443: S 3293407450:3293407450(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
  20: 15:37:16.286850       10.100.32.78.59413 > 67.215.65.132.443: S 3293407450:3293407450(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
  21: 15:37:19.036222       10.100.32.78.59412 > 67.215.65.132.443: S 348290702:348290702(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
  22: 15:37:19.296783       10.100.32.78.59413 > 67.215.65.132.443: S 3293407450:3293407450(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
  23: 15:37:25.035215       10.100.32.78.59412 > 67.215.65.132.443: S 348290702:348290702(0) win 8192 <mss 1460,nop,nop,sackOK>
  24: 15:37:25.296066       10.100.32.78.59413 > 67.215.65.132.443: S 3293407450:3293407450(0) win 8192 <mss 1460,nop,nop,sackOK>
  25: 15:37:34.983484       10.100.32.78.59414 > 67.215.65.132.443: S 2726171046:2726171046(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
  26: 15:37:34.983744       10.100.32.78.59414 > 67.215.65.132.443: S 2726171046:2726171046(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
  27: 15:37:37.033750       10.100.32.78.59415 > 67.215.65.132.443: S 2795949824:2795949824(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
  28: 15:37:37.034132       10.100.32.78.59415 > 67.215.65.132.443: S 2795949824:2795949824(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
  29: 15:37:37.982813       10.100.32.78.59414 > 67.215.65.132.443: S 2726171046:2726171046(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
  30: 15:37:40.033811       10.100.32.78.59415 > 67.215.65.132.443: S 2795949824:2795949824(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
  31: 15:37:43.982630       10.100.32.78.59414 > 67.215.65.132.443: S 2726171046:2726171046(0) win 8192 <mss 1460,nop,nop,sackOK>
  32: 15:37:46.033598       10.100.32.78.59415 > 67.215.65.132.443: S 2795949824:2795949824(0) win 8192 <mss 1460,nop,nop,sackOK>
  33: 15:38:25.398676       10.100.32.78.59413 > 67.215.65.132.443: S 3293407450:3293407450(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
  34: 15:38:25.399057       10.100.32.78.59413 > 67.215.65.132.443: S 3293407450:3293407450(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
  35: 15:38:32.206044       10.100.32.78.59412 > 67.215.65.132.443: S 348290702:348290702(0) win 8192 <mss 1460,nop,nop,sackOK>
  36: 15:38:32.206608       10.100.32.78.59412 > 67.215.65.132.443: S 348290702:348290702(0) win 8192 <mss 1460,nop,nop,sackOK>
  37: 15:38:32.640530       10.100.32.78.59413 > 67.215.65.132.443: S 3293407450:3293407450(0) win 8192 <mss 1460,nop,nop,sackOK>
  38: 15:38:41.944988       10.100.32.78.59414 > 67.215.65.132.443: S 2726171046:2726171046(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
  39: 15:38:41.945751       10.100.32.78.59414 > 67.215.65.132.443: S 2726171046:2726171046(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
  40: 15:38:44.166754       10.100.32.78.59415 > 67.215.65.132.443: S 2795949824:2795949824(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
  41: 15:38:44.167563       10.100.32.78.59415 > 67.215.65.132.443: S 2795949824:2795949824(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
  42: 15:38:47.646695       10.100.32.78.59415 > 67.215.65.132.443: S 2795949824:2795949824(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
42 packets shown

As shown above, I don't see any packets coming back from the server.  There is only one site this doesn't work for, so I am stumped.  Part of me is wondering if there is a nat issue, but if it was that, I would think the entire site would have issues accessing the internet.  One other part to note.  The ASA is doing a WCCP redirect to an Ironport.  I did a policy trace on the Ironport and it says the site is allowed.  

 

TIA for any ideas.

 

Dan 

  • Firewalling
1 REPLY
New Member

Another capture going to a

Another capture going to a different site that cannot be reached:

 

 1: 16:35:43.221393       10.100.32.78.61633 > 199.48.156.102.443: S 2887732050:2887732050(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
   2: 16:35:43.461401       10.100.32.78.61634 > 199.48.156.102.443: S 396969507:396969507(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
   3: 16:35:46.220356       10.100.32.78.61633 > 199.48.156.102.443: S 2887732050:2887732050(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
   4: 16:35:46.460318       10.100.32.78.61634 > 199.48.156.102.443: S 396969507:396969507(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
   5: 16:35:52.220478       10.100.32.78.61633 > 199.48.156.102.443: S 2887732050:2887732050(0) win 8192 <mss 1460,nop,nop,sackOK>
   6: 16:35:52.460074       10.100.32.78.61634 > 199.48.156.102.443: S 396969507:396969507(0) win 8192 <mss 1460,nop,nop,sackOK>

 

 

I did set up the ASA to not send requests to the Ironport for two of the sites.  The captures I have posted are from those two sites.

 

178
Views
0
Helpful
1
Replies