topic Re: CISCO ASA 5512 - TCP Syn Timeout in Network Security

CISCO ASA 5512 - TCP Syn Timeout

jsishodia — Fri, 21 Feb 2020 16:19:29 GMT

Source is getting SYN,ACK from destination but rather than sending final SYN it sends Host Unreaachable.

Capture attached.

Kindly advise.

Thanks

Re: CISCO ASA 5512 - TCP Syn Timeout

balaji.bandi — Thu, 04 Oct 2018 21:04:09 GMT

Can you post the configuration to review.

Re: CISCO ASA 5512 - TCP Syn Timeout

Ajay Saini — Sun, 07 Oct 2018 07:15:18 GMT

Hello,

Where were these captures taken? These host unreachable icmp error indicates that the end host is not either reachable through some router in between the path (could be a firewall) or the host does not have a default gateway configured. In your case, the syn packet goes out fine. We need to identify where these captures were taken and find out if Unreachable was sent out by the host itself or some layer 3 device in between.

https://www.savvius.com/networking-glossary/tcp_ip_overview/icmp/unreachable/

HTH
AJ

Re: CISCO ASA 5512 - TCP Syn Timeout

jsishodia — Sun, 07 Oct 2018 10:10:05 GMT

Hi Ajay

Topology is like ASA 1 -> ASA 2 - > Host

Am doing a TCP ping from ASA 1 outside interface to Host , the capture is of inside interface ASA 1

ASA 1 is translatign the IPs are per NAT rule properly. as it should.

The comm is like

ASA sends SYN

Host Sends SYN,ACK

Then the 3rd packet is sent of unreachable to host ...

So issue is on ASA 1 I think...becuase host is responding I have taken capture on ASA 1 & 2 both ...host sends SYN, ACK

but from ASA 1 sends unreachable in place SYN ...

Attached is the caputre of outside interface..

Thanks

Re: CISCO ASA 5512 - TCP Syn Timeout

Ajay Saini — Sun, 07 Oct 2018 10:18:05 GMT

So, you are doing a tcp based ping from ASA1 , is that correct? or the ping is from a host behind the ASA1?

Can you provide the command that you are issuing on the ASA1 or the host to run this ping.

Re: CISCO ASA 5512 - TCP Syn Timeout

jsishodia — Sun, 07 Oct 2018 17:39:09 GMT

Hi Ajay

Yes, That is correct.

I am doign TCP based ping from ASA 1 and am doing it from ASDM ->Tools-> Ping

By giving source interface and IP.

Thanks

Re: CISCO ASA 5512 - TCP Syn Timeout

Ajay Saini — Mon, 08 Oct 2018 06:58:05 GMT

Ah, if you are trying to ping outside ip addresses sourced from inside interface of ASA, it will never work. Thats ASA design, you should source the interface of ASA which has the route towards the destination to be pinged.

HTH
AJ

Re: CISCO ASA 5512 - TCP Syn Timeout

jsishodia — Mon, 08 Oct 2018 08:48:03 GMT

Hi Ajay

That is what am doing from OUTSIDE to INSIDE

Thanks

Re: CISCO ASA 5512 - TCP Syn Timeout

Ajay Saini — Mon, 08 Oct 2018 08:57:48 GMT

Hello,

So, this wont work for across the interface if you want to source from ASA interface or ping to the ASA interface when not connected to the interface.

HTH
AJ

Re: CISCO ASA 5512 - TCP Syn Timeout

jsishodia — Mon, 08 Oct 2018 09:20:34 GMT

hi Ajay

Outside interface is connected to MPLS network where actual source resides.

So inspite of asking the actual source to try again and again am trying to investigate this issue by creating a TCP connection from ASA itself by taking outside interface as source using the source IP ... which woks fine till SYN,ACK but it sends 3rd packet as unreachable ...

Thanks

Re: CISCO ASA 5512 - TCP Syn Timeout

Ajay Saini — Tue, 09 Oct 2018 05:44:00 GMT

Since ASA does not own that ip address, thats a valid reason why it should be sending the host unreachable error message.

Ideally, in a router scenario, you would have created a loopback interface and tested, but ASA won't be as friendly as you want it to be. I would suggest looking for alternatives.

HTH
AJ