Re: Access to web server from outside

mstrizich · ‎06-05-2002

I'm trying to establish a connection to my internal web server on port 443 from the outside interface. The log shows the following info: "Built inbound tcp connection 73 for faddr x.x.x.x/1931 gaddr y.y.y.y/443 laddr/443". About 2:30 seconds after the connection is established a tear down message appears. No web page is ever displayed in my browser. Any ideas on what I misconfigured?

David White · ‎06-05-2002

The teardown message should indicate why the connection was torn down. I would use that as a starting point.

Also, you can check the connection flags for the connection after it is built "show conn". The flags are at the very end of the connection. You should see "UIO" - meaning the connection is Up, and receiving Inbound data and Outbound data.

You may see sAa - indicating the SYN went through, but not the Syn+Ack. In this case, I would check for asymetrical routing.

Hope that helps.

David.

mstrizich · ‎06-05-2002

Hey David, I actually see a SaAB at the end of the connection. Does this point to asymetrical routing problems as well?

Mike

David White · ‎06-05-2002

Hi Mike,

Yes, it indicates that the PIX received a SYN packet on the outside interface, but never received a SYN+AKC back on the inside interface (the B means the connection was initiated from the outside). Asymetric routing is usually the cause. Other possibilities are that the server just isn't responding.

Hope that helps,

David.