https://community.cisco.com/t5/network-security/syn-ack-error/m-p/2347951#M344883 <P>Hi folks, hoping someone out there can point out why I am having a few difficulties on my network.</P><P></P><P>We have 2 seperate internet connections protected by ASA Firewalls, one in our main datacenter and another in our DR datacenter. I have drawn a very simplistic diagram at <SPAN style="font-size: 10pt;"><A href="http://postimg.org/image/qcmrulnrx/" target="_blank">http://postimg.org/image/qcmrulnrx/</A> </SPAN><SPAN style="font-size: 10pt;">please take a look.</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">I have a problem when I try to translate one of our public IP addresses being routed to our site B firewall. Say I have a website on server A, internal address 192.168.12.51. </SPAN></P><P></P><P><SPAN style="font-size: 10pt;">I want to make it publically available via one of the IP's currently routed to our DR firewall, so i create a rule to Xlate from 118.220.X.X to 192.168.12.51</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">However when i try to initiate a connection from an external machine - say </SPAN><SPAN style="font-size: 10pt;">68.232.X.X and </SPAN><SPAN style="font-size: 10pt;">examine the traffic using ASDM i can see the built inbound tcp connection from the public IP to the internal IP is ok. But when i then filter based on the internal IP of the server i can see the SYN timeout error.</SPAN></P><P></P><P>Teardown TCP connection 20738497 for outside:68.232.X.X/40717 to inside:192.168.12.51/80 duration 0:00:30 bytes 0 SYN Timeout</P><P></P><P></P><P>When I change the Public IP to one being routed to Firewall A, it works with no issues.</P><P></P><P>A couple of important points, which could be affecting this (perhaps there is a circular routing issue here?)</P><P></P><P>The catalyst 3750 has a default route to pass any traffic that it doesnt have a routing table entry for to the firewall in site A</P><P></P><P>Server A's default gateway is to the VLAN12 interface on the catalyst 3750</P><P></P><P>The catalyst 3650 (site B) has some static routes in there to route the 118.220.X.X/29 network to FIrewall B (19.168.201.20)</P><P></P><P>Its probably something very simple, any ideas?</P> Tue, 12 Mar 2019 02:24:26 GMT Nick Currie 2019-03-12T02:24:26Z https://community.cisco.com/t5/network-security/syn-ack-error/m-p/2347951#M344883 <P>Hi folks, hoping someone out there can point out why I am having a few difficulties on my network.</P><P></P><P>We have 2 seperate internet connections protected by ASA Firewalls, one in our main datacenter and another in our DR datacenter. I have drawn a very simplistic diagram at <SPAN style="font-size: 10pt;"><A href="http://postimg.org/image/qcmrulnrx/" target="_blank">http://postimg.org/image/qcmrulnrx/</A> </SPAN><SPAN style="font-size: 10pt;">please take a look.</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">I have a problem when I try to translate one of our public IP addresses being routed to our site B firewall. Say I have a website on server A, internal address 192.168.12.51. </SPAN></P><P></P><P><SPAN style="font-size: 10pt;">I want to make it publically available via one of the IP's currently routed to our DR firewall, so i create a rule to Xlate from 118.220.X.X to 192.168.12.51</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">However when i try to initiate a connection from an external machine - say </SPAN><SPAN style="font-size: 10pt;">68.232.X.X and </SPAN><SPAN style="font-size: 10pt;">examine the traffic using ASDM i can see the built inbound tcp connection from the public IP to the internal IP is ok. But when i then filter based on the internal IP of the server i can see the SYN timeout error.</SPAN></P><P></P><P>Teardown TCP connection 20738497 for outside:68.232.X.X/40717 to inside:192.168.12.51/80 duration 0:00:30 bytes 0 SYN Timeout</P><P></P><P></P><P>When I change the Public IP to one being routed to Firewall A, it works with no issues.</P><P></P><P>A couple of important points, which could be affecting this (perhaps there is a circular routing issue here?)</P><P></P><P>The catalyst 3750 has a default route to pass any traffic that it doesnt have a routing table entry for to the firewall in site A</P><P></P><P>Server A's default gateway is to the VLAN12 interface on the catalyst 3750</P><P></P><P>The catalyst 3650 (site B) has some static routes in there to route the 118.220.X.X/29 network to FIrewall B (19.168.201.20)</P><P></P><P>Its probably something very simple, any ideas?</P> Tue, 12 Mar 2019 02:24:26 GMT https://community.cisco.com/t5/network-security/syn-ack-error/m-p/2347951#M344883 Nick Currie 2019-03-12T02:24:26Z https://community.cisco.com/t5/network-security/syn-ack-error/m-p/2347952#M344884 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Your problem is most likely asymmetric routing.</P><P></P><P>If your server at Site A has its default route towards the Site A firewall and your are trying to NAT the Server to a Site B public IP address, this is what will happen</P><P></P><UL><LI>A user on the Internet connects to the Site B public IP address of Site A server</LI><LI>TCP connections TCP SYN arrives on the server at Site A</LI><LI>Site A server replies with TCP SYN ACK but sends this through Site A local firewall</LI><LI>Site A firewall blocks the TCP SYN ACK with a message "Deny (no connection)" or something to that direction.</LI></UL><P></P><P>In other words the server cant negotiate the TCP connection up since there is asymmetric routing. To use the Site B public IP address for Site A server you would probably have to configure somekind of Policy Based Routing on Site A LAN router to forward the servers traffic to Site B while rest of the server network at Site A use its normal Site A default gateway.</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 12 Aug 2013 07:05:36 GMT https://community.cisco.com/t5/network-security/syn-ack-error/m-p/2347952#M344884 Jouni Forss 2013-08-12T07:05:36Z