topic Re: Error Reset-O Reset-I in Network Security

Error Reset-O Reset-I

MarcoM — Tue, 12 Mar 2019 03:21:01 GMT

Hi all,

i have a strange error on my ASA5515-X and I can not understand what can be.

I natted server-mail with services https:

object network Owa_10.0.1.4

host 10.0.1.4

object network Owa_10.0.1.4

nat (INSIDE,OUTSIDE) static interface service tcp https https

access-list INSIDE_access_in extended permit ip any any

access-list OUTSIDE_access_in extended permit ip any any

access-group INSIDE_access_in in interface INSIDE

access-group OUTSIDE_access_in in interface OUTSIDE

interface GigabitEthernet0/0

nameif INSIDE

security-level 100

ip address 10.0.1.254 255.255.0.0

interface GigabitEthernet0/1

nameif OUTSIDE

security-level 0

ip address 217.5x.xxx.xxx 255.255.255.240

If i send a mail from inside to outside mail reaches the receiver, if mail is sent from outside (such as from @Gmail.com to internal mailbox) mail does not arrive. Attached there are logs with TCP Reset-O.

what could be the issue? I have something wrong in the configuration?

Thanks in advance.

Error Reset-O Reset-I

johflore — Fri, 20 Dec 2013 23:01:54 GMT

Hello Marco,

Your configuration looks all right, I would say "permit ip any any"

is okay on this case for troubleshooting purposes but do not remember later change rules on outside and only allow services you need to. Besides your configuration is fine. Also in log provided connection looks okay from firewall perspective.

Here is meaning of Reset-O and Reset-I according title on this post:

- TCP Reset-I - The client tear down the connection (typical in an SMTP or IMAP exchange -I = inside interface).

- TCP Reset-O - The server was not listening on that protocol at that time (usually seen as coming from SMTP servers -O = Outside interface).

I would suggest you to check if server is listening on ports required (netstat works on this), run some captures on your server maybe using wireshark in order to confirm if server is resetting connection and check out for incoming traffic.

Run some captures on the firewall in order to confirm the reset is comming from Outside.

capture inside interface inside match tcp any host 10.0.1.4 eq 443

capture outside interface outside match tcp any host 217.5x.xxx.xxx eq 443

capture asp type asp all >>> in order to check packets firewall has dropped.

show capture asp | inc 10.0.1.4

show capture asp | inc 217.5x.xxx.xxx.443

show capture inside >>>> check for tcp reset flag (R)

Captures:

https://supportforums.cisco.com/docs/DOC-17345

Jhn

Error Reset-O Reset-I

MarcoM — Sat, 21 Dec 2013 21:33:57 GMT

Hi Jhn,

thanks a lot for reply.

Sure my acl any\any is only for this stage of troubleshhoting 🙂

Later i will check on server mail with "netstat" commant for listening ports.

I take this opportunity to ask you: if i nat service https server mail on same ip address of outside interface of firewall, and if i setup a vpn anyconnect it may not work right? (overlaps https anyconnect\server mail)

Paste configuration of Anyconnect Vpn:

interface GigabitEthernet0/1

nameif OUTSIDE

security-level 0

ip address 217.56.23.190 255.255.255.240

crypto ikev2 enable OUTSIDE

crypto ikev2 remote-access trustpoint ASDM_TrustPoint0

webvpn

enable OUTSIDE

anyconnect-essentials

anyconnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 1

anyconnect profiles VpnAnyConnect_client_profile disk0:/VpnAnyConnect_client_profile.xml

anyconnect enable

tunnel-group-list enable

group-policy GroupPolicy_VpnAnyConnect internal

group-policy GroupPolicy_VpnAnyConnect attributes

wins-server none

dns-server value 10.0.1.2 10.0.1.9

vpn-tunnel-protocol ikev2

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Reti_Interne

default-domain value bdossf.local

webvpn

anyconnect profiles value VpnAnyConnect_client_profile type user

tunnel-group VpnAnyConnect type remote-access

tunnel-group VpnAnyConnect general-attributes

address-pool PoolVpnAnyConnect

authentication-server-group RADIUS

default-group-policy GroupPolicy_VpnAnyConnect

tunnel-group VpnAnyConnect webvpn-attributes

group-alias VpnAnyConnect enable

I should change port of AnyConnect? or do anything else?

Thanks.

Re: Error Reset-O Reset-I

MarcoM — Sun, 22 Dec 2013 07:51:45 GMT

Hi Jhn,

i attached output of command "netstat" of server mail.

Let me know if you can.

Thanks.

Re: Error Reset-O Reset-I

Julio Carvajal — Mon, 23 Dec 2013 19:10:54 GMT

Hello,

Yes, the Anyconnect will use port 443 (this is used as it will be open on almost any location) but if you want to forward traffc to a internal webserver while having this configuration then you are in troubles.

Proposed Configuration

config te

webbpn

no enable outside

port 442

enable outside

exit

write mem

Looking for some Networking assistance?? Contact me at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com