Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SYN ACK error

Hi folks, hoping someone out there can point out why I am having a few difficulties on my network.

We have 2 seperate internet connections protected by ASA Firewalls, one in our main datacenter and another in our DR datacenter. I have drawn a very simplistic diagram at http://postimg.org/image/qcmrulnrx/ please take a look.

I have a problem when I try to translate one of our public IP addresses being routed to our site B firewall. Say I have a website on server A, internal address 192.168.12.51.

I want to make it publically available via one of the IP's currently routed to our DR firewall, so i create a rule to Xlate from 118.220.X.X to 192.168.12.51

However when i try to initiate a connection from an external machine - say 68.232.X.X and examine the traffic using ASDM i can see the built inbound tcp connection from the public IP to the internal IP is ok. But when i then filter based on the internal IP of the server i can see the SYN timeout error.

Teardown TCP connection 20738497 for outside:68.232.X.X/40717 to inside:192.168.12.51/80 duration 0:00:30 bytes 0 SYN Timeout

When I change the Public IP to one being routed to Firewall A, it works with no issues.

A couple of important points, which could be affecting this (perhaps there is a circular routing issue here?)

The catalyst 3750 has a default route to pass any traffic that it doesnt have a routing table entry for to the firewall in site A

Server A's default gateway is to the VLAN12 interface on the catalyst 3750

The catalyst 3650 (site B) has some static routes in there to route the 118.220.X.X/29 network to FIrewall B (19.168.201.20)

Its probably something very simple, any ideas?

1 REPLY
Super Bronze

SYN ACK error

Hi,

Your problem is most likely asymmetric routing.

If your server at Site A has its default route towards the Site A firewall and your are trying to NAT the Server to a Site B public IP address, this is what will happen

  • A user on the Internet connects to the Site B public IP address of Site A server
  • TCP connections TCP SYN arrives on the server at Site A
  • Site A server replies with TCP SYN ACK but sends this through Site A local firewall
  • Site A firewall blocks the TCP SYN ACK with a message "Deny (no connection)" or something to that direction.

In other words the server cant negotiate the TCP connection up since there is asymmetric routing. To use the Site B public IP address for Site A server you would probably have to configure somekind of Policy Based Routing on Site A LAN router to forward the servers traffic to Site B while rest of the server network at Site A use its normal Site A default gateway.

- Jouni

400
Views
0
Helpful
1
Replies
CreatePlease login to create content