topic TCP Reset -I, O and ACK while accessing https site in Network Security

TCP Reset -I, O and ACK while accessing https site

mahesh18 — Tue, 12 Mar 2019 01:44:49 GMT

Hi All,

I was trying to open some https website from my pc.

When i open it browser shows internet explorer can not open the page.

Here are the logs

Deny TCP (no connection) from 200.x.x.x/443 to 201.x.x.x/42452 flags ACK on interface outside

Teardown TCP connection 21045292 for outside:200.x.x.x/443 to Net:192.168.50.107/62551 duration 0:00:22 bytes 146 TCP Reset-I

Teardown TCP connection 21045294 for outside:200.x.x.x/443 to Net:192.168.50.107/62552 duration 0:00:00 bytes 58 TCP Reset-O

192.168.50.107 Accessed URL 200.x.x.x:https://200.x.x.x/

Built outbound TCP connection 21045291 for outside:200.x.x.x/443 (200.x.x.x/443) to Net:192.168.50.107/62550 (201.x.x.x/17887)

access-list Net_01 permitted tcp Net/192.168.50.107(62550) -> outside/200.x.x.x(443) hit-cnt 1 first hit [0x880712ea, 0x0]

Where 192.168.50 is PC IP

Website IP is 200.x.x.

where 201.x.x.x is Public IP of PC

Log shows all the TCP resets like from outside and inside .

Need to know if issue is from this website or it is issue with our ASA?

thanks

mahesh

TCP Reset -I, O and ACK while accessing https site

Luis Silva Benavides — Thu, 16 May 2013 23:08:19 GMT

Mahesh,

Could you please place a capture on the inside and outside interface?

Luis Silva

TCP Reset -I, O and ACK while accessing https site

mahesh18 — Thu, 16 May 2013 23:23:39 GMT

Hi Luis,

Its on the production network so i have to get permission on this first.

When you say to take capture is this ACL ok for this

access-list Inside extended permit tcp host 192.168.50.107 host 200.x.x.x eq 443 log

access-list Inside extended permit tcp host 200.x.x.x eq 443 host 192.168.50.107 log

access-group Inside in interface inside

then for outside interface i can do this

access-group Inside in interface outside

Will this ACL work and is direction for inside to outside is ok?

There is no other way to tell it is issue with ASA or remote website?

Thanks

Mahesh

TCP Reset -I, O and ACK while accessing https site

Luis Silva Benavides — Thu, 16 May 2013 23:48:09 GMT

Hi,

I actually asking you to use the capture command available on the ASA

Please refer to this information:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

Luis Silva

Re: TCP Reset -I, O and ACK while accessing https site

mahesh18 — Fri, 17 May 2013 01:11:59 GMT

Hi Luis,

I was unable to use the ASDM it was not capturing anything.

Anyway i tried to open same site from my home network and i was unable to open it.

so this shows issue with website as now i tried from my home network.

I did packet capture from CLI on my home ASA.

I attached the file under original post.

Let me know what you find in the packet capture?

PC IP 192.168.52.5

Outside interface of ASA 192.168.11.2

Website 200.x.x.x/443

Thanks

Message was edited by: mahesh parmar

Re: TCP Reset -I, O and ACK while accessing https site

Luis Silva Benavides — Fri, 17 May 2013 23:09:31 GMT

Mahesh,

Based on the inside capture you provided I noticed that most of the times the remote server is resetting the connection and you can see an example below:

325: 18:43:59.078334 802.1Q vlan#1 P0 200.x.x.x.443 > 192.168.52.5.3278: R 3245272791:3245272791(0) ack 4261117805 win 9818

The fact the you are also unable to access the site from home confirms that the issue shoudn't be related to the ASA

Thanks,

Luis Silva

TCP Reset -I, O and ACK while accessing https site

mahesh18 — Sat, 18 May 2013 00:03:32 GMT

Hi Luis,

When you say the remote server is resetting the connection -- what do you look in above line that shows it is Reset

does the R shows it is Reset?

Also 200.x.x.x>192.168.52.5 does this shows that it is remote server is resetting the connection?

Thanks

Mahesh

TCP Reset -I, O and ACK while accessing https site

Luis Silva Benavides — Sat, 18 May 2013 00:07:33 GMT

Hi,

Yes, the R is for Reset so when you read the capture you can notice that the first IP address is the one that generates the RST (reset) packet and the second IP address is where the packet is going, in your case the internal IP address.

When say the remote server I mean the web site

Luis Silva

TCP Reset -I, O and ACK while accessing https site

mahesh18 — Sat, 18 May 2013 04:24:25 GMT

Hi Luis,

Many thanks for all the help

Mahesh