Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

RST,ACK capture on ASA

I have setup a capture on our ASA. We are trying to connect across a VPN tunnel wiht a certain app and it wont connect.

We can telnet and SSH to the device across the tunnel OK. It is just this one app that wont start.

I have a capture set up on the inside interface of our ASA and what I see are SYN packets leaving the device on our inside interface, and RST, ACK packets coming back from the device on the remote side of the tunnel.

The egress connection attempt from the device on the inside network tries the connection using a destination port of 4000. Does this mean that the device on the other end of the tunnel is not listening on port 4000?

Cisco Employee

Re: RST,ACK capture on ASA

Are you capturing the SYN and the RST on the remote ASA inside interface that is close to the server that you are talking to on port 4000?

If yes, then probably that' s it.

A RST is sent be the device because it is not listening or there is an IPS in line, or a FW that spoofs that RST.

I hope it helps.


Community Member

Re: RST,ACK capture on ASA

Well there is no remote ASA. On the remote end there is something called a digi box. It uses a wireless broadband card to connect to the Internet, and has ethernet ports on the other side. I dont think there is any way to do a packet capture on the other end to answer your question.

Cisco Employee

Re: RST,ACK capture on ASA

(in)ASA-----remote device----server

So the capture is taken on the ASA in port? and it shows SYN and RST?

Where is the VPN tunnel terminated? If it is L2L and there is some ASA in the middle that terminates it can that ASA do packet captures closes to the server to prove out point for the RST?

What does the ASA say int its logs? Does it say "Connection torn down due to RST-O? That is enough to say that the RST is sent from the remote side.


Community Member

Re: RST,ACK capture on ASA

The digi box on the remote side actually works as a tunnel end point. It is a site to site tunnel.

The device on the in interface of the ASA is located @ The device we are talking to and attempting to get to connect on port 4000 is at

In the trace file captured on the in interface on the ASA, you see send a SYN. the device at always sends a "RST,ACK". This happens over and over again.

Re: RST,ACK capture on ASA

If the firewall is forwarding the SYN and it's getting a reset there is nothing that you can do in the ASA. Can you take captures in the server with ethereal or wireshark to see if the packets are hitting the server?

CreatePlease to create content