Solved: Unable to access website via ASA

mahesh18 · ‎07-08-2013

Hi Everyone,

User is able to open up webpage from PC.

But it just shows connection as connecting and just sits there.

sh conn shows

TCP outside 71.x.x.x:443 X 192.168.50.24:59983, idle 0:00:19, bytes 6067, flags UIO
TCP outside 71.x.x.x:443 X 192.168.50.24:59988, idle 0:00:00, bytes 15372, flags UFRIO
TCP outside 71.x.x.x:443 X 192.168.50.24:59988, idle 0:00:01, bytes 15372, flags UFRIO
TCP outside 71.x.x.x:443 X 192.168.50.24:59987, idle 0:00:19, bytes 25414, flags UIO
TCP outside 71.x.x.x:443 X 192.168.50.24:59986, idle 0:00:01, bytes 6104, flags UFRIO
TCP outside 71.x.x.x:443 X 192.168.50.24:59985, idle 0:00:01, bytes 6104, flags UFRIO
TCP outside 71.x.x.x:443 X 192.168.50.24:59984, idle 0:00:01, bytes 6104, flags UFRIO
TCP outside 71.x.x.x:443 X 192.168.50.24:59983, idle 0:00:01, bytes 6104, flags UFRIO
TCP outside 71.x.x.x:443 X 192.168.50.24:59983, idle 0:00:05, bytes 6104, flags UFRIO
TCP outside 71.x.x.x:443 X 192.168.50.24:60003, idle 0:00:00, bytes 0, flags saA

Logs shows

%ASA-6-106015: Deny TCP (no connection) from 192.168.50.24/59895 to 71.x.x.x/443 flags PSH ACK on interface X
%ASA-6-302014: Teardown TCP connection 55056246 for outside:71.x.x.x/443 to X:192.168.50.24/59895 duration 0:00:00 bytes 193 Flow closed by inspection
%ASA-4-507003: tcp flow from X:192.168.50.24/59895 to outside:71.x.x.x/443 terminated by inspection engine, reason - inspector reset unconditionally.
%ASA-5-304002: Access denied URL https://71.x.x.x/ SRC 192.168.50.24 DEST 71.x.x.x on interface X
%ASA-6-302013: Built outbound TCP connection 55056246 for outside:71.x.x.x/443 (71.x.x.x/443) to X:192.168.50.24/59895 (210.x.x.x/58989)
%ASA-6-305011: Built dynamic TCP translation from X:192.168.50.24/59895 to outside:210.x.x.x/58989
%ASA-6-302014: Teardown TCP connection 55056243 for outside:71.x.x.x/443 to X:192.168.50.24/59894 duration 0:00:00 bytes 185 Flow closed by inspection
%ASA-4-507003: tcp flow from X:192.168.50.24/59894 to outside:71.x.x.x/443 terminated by inspection engine, reason - inspector reset unconditionally.
%ASA-5-304002: Access denied URL https://71.x.x.x/ SRC 192.168.50.24 DEST 71.x.x.x on interface X
%ASA-6-302013: Built outbound TCP connection 55056243 for outside:71.x.x.x/443 (71.x.x.x/443) to X:192.168.50.24/59894 (210.x.x.x/6659)
%ASA-6-305011: Built dynamic TCP translation from X:192.168.50.24/59894 to outside:210.x.x.x/6659

Where X ix interface of ASA

71.x.x.x is webpage IP

192.168.x.x. is PC IP

210.x.x.x is user PC NAT IP

Seems to know if issue is with FW config?

Regards

Mahesh

Jouni Forss · ‎07-08-2013

Hi Mahesh,

I am not quite sure what is happening there.

Atleast there is connection which are fully formed TCP connections through the firewall.

However some of the logs messages are some that I have not seen. I would imagine that you might have something on the ASA that does filtering for HTTPS also?

If so then it would look that this is perhaps causing problems with the connections. It does also seem according to the logs that the ASA is terminating the connections.

- Jouni

View solution in original post

Jouni Forss · ‎07-08-2013

Hi Mahesh,

I am not quite sure what is happening there.

Atleast there is connection which are fully formed TCP connections through the firewall.

However some of the logs messages are some that I have not seen. I would imagine that you might have something on the ASA that does filtering for HTTPS also?

If so then it would look that this is perhaps causing problems with the connections. It does also seem according to the logs that the ASA is terminating the connections.

- Jouni

mahesh18 · ‎07-08-2013

Hi Jouni,

Yes we have filtering device on the ASA.

I will checkon that.

Regards

Mahesh

mahesh18 · ‎07-08-2013

Hi Jouni,

It was filtering device which is blocking the connection.

Regards

Mahesh