Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1337
Views
0
Helpful
1
Replies

SYN ACK error

Nick Currie
Level 1
Level 1

‎08-11-2013 11:24 PM - edited ‎03-11-2019 07:24 PM

Hi folks, hoping someone out there can point out why I am having a few difficulties on my network.

We have 2 seperate internet connections protected by ASA Firewalls, one in our main datacenter and another in our DR datacenter. I have drawn a very simplistic diagram at http://postimg.org/image/qcmrulnrx/ please take a look.

I have a problem when I try to translate one of our public IP addresses being routed to our site B firewall. Say I have a website on server A, internal address 192.168.12.51.

I want to make it publically available via one of the IP's currently routed to our DR firewall, so i create a rule to Xlate from 118.220.X.X to 192.168.12.51

However when i try to initiate a connection from an external machine - say 68.232.X.X and examine the traffic using ASDM i can see the built inbound tcp connection from the public IP to the internal IP is ok. But when i then filter based on the internal IP of the server i can see the SYN timeout error.

Teardown TCP connection 20738497 for outside:68.232.X.X/40717 to inside:192.168.12.51/80 duration 0:00:30 bytes 0 SYN Timeout

When I change the Public IP to one being routed to Firewall A, it works with no issues.

A couple of important points, which could be affecting this (perhaps there is a circular routing issue here?)

The catalyst 3750 has a default route to pass any traffic that it doesnt have a routing table entry for to the firewall in site A

Server A's default gateway is to the VLAN12 interface on the catalyst 3750

The catalyst 3650 (site B) has some static routes in there to route the 118.220.X.X/29 network to FIrewall B (19.168.201.20)

Its probably something very simple, any ideas?

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎08-12-2013 12:05 AM

Hi,

Your problem is most likely asymmetric routing.

If your server at Site A has its default route towards the Site A firewall and your are trying to NAT the Server to a Site B public IP address, this is what will happen

  • A user on the Internet connects to the Site B public IP address of Site A server
  • TCP connections TCP SYN arrives on the server at Site A
  • Site A server replies with TCP SYN ACK but sends this through Site A local firewall
  • Site A firewall blocks the TCP SYN ACK with a message "Deny (no connection)" or something to that direction.

In other words the server cant negotiate the TCP connection up since there is asymmetric routing. To use the Site B public IP address for Site A server you would probably have to configure somekind of Policy Based Routing on Site A LAN router to forward the servers traffic to Site B while rest of the server network at Site A use its normal Site A default gateway.

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card