A client I do work for reached out to me today with an odd issue. There are a handful of secure websites they cannot reach from one location. I checked the ASA logs and 30 seconds after the initial packet, the ASA receives a SYN timeout packet. The ACK packet doesn't show up late, so that isn't the issue. I ran a packet capture between my laptop and one of the websites and this is the result:
As shown above, I don't see any packets coming back from the server. There is only one site this doesn't work for, so I am stumped. Part of me is wondering if there is a nat issue, but if it was that, I would think the entire site would have issues accessing the internet. One other part to note. The ASA is doing a WCCP redirect to an Ironport. I did a policy trace on the Ironport and it says the site is allowed.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...