07-08-2013 12:52 PM - edited 03-11-2019 07:09 PM
Hi Everyone,
User is able to open up webpage from PC.
But it just shows connection as connecting and just sits there.
sh conn shows
TCP outside 71.x.x.x:443 X 192.168.50.24:59983, idle 0:00:19, bytes 6067, flags UIO
TCP outside 71.x.x.x:443 X 192.168.50.24:59988, idle 0:00:00, bytes 15372, flags UFRIO
TCP outside 71.x.x.x:443 X 192.168.50.24:59988, idle 0:00:01, bytes 15372, flags UFRIO
TCP outside 71.x.x.x:443 X 192.168.50.24:59987, idle 0:00:19, bytes 25414, flags UIO
TCP outside 71.x.x.x:443 X 192.168.50.24:59986, idle 0:00:01, bytes 6104, flags UFRIO
TCP outside 71.x.x.x:443 X 192.168.50.24:59985, idle 0:00:01, bytes 6104, flags UFRIO
TCP outside 71.x.x.x:443 X 192.168.50.24:59984, idle 0:00:01, bytes 6104, flags UFRIO
TCP outside 71.x.x.x:443 X 192.168.50.24:59983, idle 0:00:01, bytes 6104, flags UFRIO
TCP outside 71.x.x.x:443 X 192.168.50.24:59983, idle 0:00:05, bytes 6104, flags UFRIO
TCP outside 71.x.x.x:443 X 192.168.50.24:60003, idle 0:00:00, bytes 0, flags saA
Logs shows
%ASA-6-106015: Deny TCP (no connection) from 192.168.50.24/59895 to 71.x.x.x/443 flags PSH ACK on interface X
%ASA-6-302014: Teardown TCP connection 55056246 for outside:71.x.x.x/443 to X:192.168.50.24/59895 duration 0:00:00 bytes 193 Flow closed by inspection
%ASA-4-507003: tcp flow from X:192.168.50.24/59895 to outside:71.x.x.x/443 terminated by inspection engine, reason - inspector reset unconditionally.
%ASA-5-304002: Access denied URL https://71.x.x.x/ SRC 192.168.50.24 DEST 71.x.x.x on interface X
%ASA-6-302013: Built outbound TCP connection 55056246 for outside:71.x.x.x/443 (71.x.x.x/443) to X:192.168.50.24/59895 (210.x.x.x/58989)
%ASA-6-305011: Built dynamic TCP translation from X:192.168.50.24/59895 to outside:210.x.x.x/58989
%ASA-6-302014: Teardown TCP connection 55056243 for outside:71.x.x.x/443 to X:192.168.50.24/59894 duration 0:00:00 bytes 185 Flow closed by inspection
%ASA-4-507003: tcp flow from X:192.168.50.24/59894 to outside:71.x.x.x/443 terminated by inspection engine, reason - inspector reset unconditionally.
%ASA-5-304002: Access denied URL https://71.x.x.x/ SRC 192.168.50.24 DEST 71.x.x.x on interface X
%ASA-6-302013: Built outbound TCP connection 55056243 for outside:71.x.x.x/443 (71.x.x.x/443) to X:192.168.50.24/59894 (210.x.x.x/6659)
%ASA-6-305011: Built dynamic TCP translation from X:192.168.50.24/59894 to outside:210.x.x.x/6659
Where X ix interface of ASA
71.x.x.x is webpage IP
192.168.x.x. is PC IP
210.x.x.x is user PC NAT IP
Seems to know if issue is with FW config?
Regards
Mahesh
Solved! Go to Solution.
07-08-2013 01:03 PM
Hi Mahesh,
I am not quite sure what is happening there.
Atleast there is connection which are fully formed TCP connections through the firewall.
However some of the logs messages are some that I have not seen. I would imagine that you might have something on the ASA that does filtering for HTTPS also?
If so then it would look that this is perhaps causing problems with the connections. It does also seem according to the logs that the ASA is terminating the connections.
- Jouni
07-08-2013 01:03 PM
Hi Mahesh,
I am not quite sure what is happening there.
Atleast there is connection which are fully formed TCP connections through the firewall.
However some of the logs messages are some that I have not seen. I would imagine that you might have something on the ASA that does filtering for HTTPS also?
If so then it would look that this is perhaps causing problems with the connections. It does also seem according to the logs that the ASA is terminating the connections.
- Jouni
07-08-2013 01:09 PM
Hi Jouni,
Yes we have filtering device on the ASA.
I will checkon that.
Regards
Mahesh
07-08-2013 02:39 PM
Hi Jouni,
It was filtering device which is blocking the connection.
Regards
Mahesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide