topic Hi, F,S,R,P are the tcp flags in Network Security

troubleshooting fwsm

bluesea2010 — Tue, 12 Mar 2019 06:44:43 GMT

Hi ,

I have some services running behind fwsm . sometimes i am not able to connect to the services behind fwsm .

for example services running port 8888,i have permitted icmp .but i cant ping the interface ip. (192.168.111.1) .

server behind fwsm are in ZoneA . source network are 10.0.10.0/20.(sh run attached)

how can i troubleshoot . since sometimes icmp are also blocking , how can i make sure traffic hitting the firewall .

Thanks

1.Create an ACLaccess-list

prasmura — Wed, 14 Oct 2015 09:08:29 GMT

1.Create an ACL
access-list cap extended permit ip host x.x.x.x host y.y.y.y

x.x.x.x = Source
y.y.y.y = Destination

2. enable captures on the interface where you want to check if the traffic is hitting,

For example if you want to check on zoneA,
capture capin interface zoneA access-list cap

3. initiate from traffic between the source and destination.

4. check the captures with the following command,

show cap capin

5. You should be able to see the interested traffic if it is hitting the interface.

Hi, Thanks for the reply .I

bluesea2010 — Sat, 17 Oct 2015 12:34:01 GMT

Hi,

Thanks for the reply .

I took the below excerpts from the capture file , what tag 'F','R','S',P means ?

944: 11:10:33.437654434 802.1Q vlan#2 P0 10.0.15.183.50624 > 192.168.111.81.8446: . ack 2538599256 win 4095 <nop,nop,timestamp 859232921[|tcp]>
945: 11:10:33.437654434 802.1Q vlan#2 P0 10.0.15.183.50624 > 192.168.111.81.8446: . ack 2538599309 win 4094 <nop,nop,timestamp 859232921[|tcp]>
946: 11:10:33.437654434 802.1Q vlan#2 P0 10.0.15.183.50624 > 192.168.111.81.8446: F 2951293550:2951293550(0) ack 2538599309 win 4096 <nop,nop,timestamp 859232921[|tcp]>
947: 11:10:33.437654434 802.1Q vlan#2 P0 10.0.15.183.50622 > 192.168.111.81.8446: R 1287941973:1287941973(0) win 0
948: 11:10:33.437654434 802.1Q vlan#2 P0 10.0.15.183.50624 > 192.168.111.81.8446: R 2951293551:2951293551(0) win 0
949: 11:10:33.437654644 802.1Q vlan#2 P0 10.0.15.183.50626 > 192.168.111.81.8446: S 2299287858:2299287858(0) win 65535 <mss 1460,nop,wscale 5,nop,nop,[|tcp]>
950: 11:10:33.437654644 802.1Q vlan#2 P0 10.0.15.183.50626 > 192.168.111.81.8446: . ack 386543146 win 4117 <nop,nop,timestamp 859233124[|tcp]>
951: 11:10:33.437654644 802.1Q vlan#2 P0 10.0.15.183.50626 > 192.168.111.81.8446: P 2299287859:2299288082(223) ack 386543146 win 4117 <nop,nop,timestamp 859233124[|tcp]>
952: 11:10:33.437654644 802.1Q vlan#2 P0 10.0.15.183.50626 > 192.168.111.81.8446: . ack 386544070 win 4088 <nop,nop,timestamp 859233125[|tcp]>
953: 11:10:33.437654644 802.1Q vlan#2 P0 10.0.15.183.50626 > 192.168.111.81.8446: P 2299288082:2299288408(326) ack 386544070 win 4096 <nop,nop,timestamp 859233125[|tcp]>
954: 11:10:33.437654654 802.1Q vlan#2 P0 10.0.15.183.50626 > 192.168.111.81.8446: . ack 386544076 win 4095 <nop,nop,timestamp 859233134[|tcp]>
955: 11:10:33.437654654 802.1Q vlan#2 P0 10.0.15.183.50626 > 192.168.111.81.8446: . ack 386544129 win 4094 <nop,nop,timestamp 859233134[|tcp]>
956: 11:10:33.437654654 802.1Q vlan#2 P0 10.0.15.183.50626 > 192.168.111.81.8446: F 2299288408:2299288408(0) ack 386544129 win 4096 <nop,nop,timestamp 859233135[|tcp]>
957: 11:10:33.437654654 802.1Q vlan#2 P0 10.0.15.183.50627 > 192.168.111.81.8446: S 1019481838:1019481838(0) win 65535 <mss 1460,nop,wscale 5,nop,nop,[|tcp]>
958: 11:10:33.437654654 802.1Q vlan#2 P0 10.0.15.183.50626 > 192.168.111.81.8446: R 2299288409:2299288409(0) win 0

Thanks again

Hi, F,S,R,P are the tcp flags

Rishabh Seth — Sun, 18 Oct 2015 05:46:51 GMT

Hi,

F,S,R,P are the tcp flags.

F= FIN

S= SYN

R=RESET

P=PUSH

The captures suggest that the 10.0.15.183 is closing the connection as you can see the FIN flag in the TCP stream.

>> Did you capture bi-directional traffic?

>> Are these captures taken on the ingress or egress interface?

>> If you see traffic on ingress and egress interface then it means firewall is permitting the traffic, try to troubleshoot the application on client end.

Share your findings.

Thanks,

R.Seth