https://community.cisco.com/t5/network-security/unable-to-connect-to-remote-device/m-p/2237690#M350425 <HTML><HEAD></HEAD><BODY><P>Hi Mahesh,</P><P></P><P>This indeed seems like an issue with remote device (if it is directly connected), either device not listening on 27000 or incorrect DG on device. In a nutshell, there is no response seen to initial SYN sent by client.</P><P></P><P>Apply captures on ingress and egress and that should clarify this.</P><P></P><P>-</P><P>Sourav</P></BODY></HTML> Mon, 06 May 2013 20:35:56 GMT sokakkar 2013-05-06T20:35:56Z https://community.cisco.com/t5/network-security/unable-to-connect-to-remote-device/m-p/2237689#M350424 <P>hi everyone,</P><P></P><P>unable to connect to device on port 27000.</P><P>here are logs</P><P></P><P>: %ASA-6-302013: Built inbound TCP connection 69552007 for X:172.x.x.x/64755 (172.x.x.x/64755) to Y:172.x.x.x/27000 (172.x.x.x/27000)</P><P>%ASA-6-302014: Teardown TCP connection 69550694 for X:172.x.x.x/64753 to Y:172.x.x.x/27000 duration 0:00:30 bytes 0 SYN Timeout</P><P></P><P>i am coming from x to y interface of asa.</P><P>need to confirm if the issue is from remote&nbsp; device?</P><P></P><P>ASA&nbsp; log shows hit counts&nbsp; while connected to server.</P><P>but for return traffic there are no hit counts?</P><P></P><P>Thanks</P><P>mahesh</P> Tue, 12 Mar 2019 01:39:32 GMT https://community.cisco.com/t5/network-security/unable-to-connect-to-remote-device/m-p/2237689#M350424 mahesh18 2019-03-12T01:39:32Z https://community.cisco.com/t5/network-security/unable-to-connect-to-remote-device/m-p/2237690#M350425 <HTML><HEAD></HEAD><BODY><P>Hi Mahesh,</P><P></P><P>This indeed seems like an issue with remote device (if it is directly connected), either device not listening on 27000 or incorrect DG on device. In a nutshell, there is no response seen to initial SYN sent by client.</P><P></P><P>Apply captures on ingress and egress and that should clarify this.</P><P></P><P>-</P><P>Sourav</P></BODY></HTML> Mon, 06 May 2013 20:35:56 GMT https://community.cisco.com/t5/network-security/unable-to-connect-to-remote-device/m-p/2237690#M350425 sokakkar 2013-05-06T20:35:56Z https://community.cisco.com/t5/network-security/unable-to-connect-to-remote-device/m-p/2237691#M350426 <HTML><HEAD></HEAD><BODY><P>Hi Mahesh,</P><P></P><P>With regards to the mentioned log messages would seem that the host isnt responding to the first message that starts the TCP connection negotiation.</P><P></P><P>Also with regards to the ACL hitcount. Only the ACL from where the original connection forming comes from gets a hitcount. The return traffic doesnt generate any hitcount.</P><P></P><P>For example in this case the connection from X generates hitcount on the X access-list. IF there was return traffic then it wouldnt produce any hits on the interface Y ACL</P><P></P><P>As the ASA is a statefull device you dont have to open traffic to both direction. Just the initial direction of the connection forming.</P><P></P><P>I would start by checking the host to which you are trying to connect to for any problems.</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 06 May 2013 20:36:00 GMT https://community.cisco.com/t5/network-security/unable-to-connect-to-remote-device/m-p/2237691#M350426 Jouni Forss 2013-05-06T20:36:00Z https://community.cisco.com/t5/network-security/unable-to-connect-to-remote-device/m-p/2237692#M350427 <HTML><HEAD></HEAD><BODY><P> Hi Jouni,</P><P></P><P>This remote device has return to interface x on some specfic port.</P><P>Say we have acl to open&nbsp; port 2700 and xyz on the ASA.</P><P></P><P>where&nbsp; port 2700 is connection to device and&nbsp; port xyz is the return traffic coming from that device.</P><P>Hope makes sense.</P><P></P><P>thanks for confirming that issue seems to be with remote device.</P><P></P><P>Regards</P><P>Mahesh</P></BODY></HTML> Mon, 06 May 2013 20:40:39 GMT https://community.cisco.com/t5/network-security/unable-to-connect-to-remote-device/m-p/2237692#M350427 mahesh18 2013-05-06T20:40:39Z https://community.cisco.com/t5/network-security/unable-to-connect-to-remote-device/m-p/2237693#M350428 <HTML><HEAD></HEAD><BODY><P> hi sourav,</P><P></P><P>Thanks for confirming this that issue is with remote device.</P><P>Can you please let me know what config&nbsp; i need to apply for packet captures?</P><P></P><P>Thanks</P><P></P><P>mahesh</P></BODY></HTML> Mon, 06 May 2013 20:42:06 GMT https://community.cisco.com/t5/network-security/unable-to-connect-to-remote-device/m-p/2237693#M350428 mahesh18 2013-05-06T20:42:06Z https://community.cisco.com/t5/network-security/unable-to-connect-to-remote-device/m-p/2237694#M350429 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I am not sure if I understood you correctly.</P><P></P><P>But in a nutshell, you only open ports in the interface ACL behind which the connections are initiated from. You wont have to take into account the return traffic of that said connection.</P><P></P><P>If both devices open/initiate connections then you naturally have to allow connections on both ACLs. But to be honest there arent that many situations where you would run into this.</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 06 May 2013 20:43:34 GMT https://community.cisco.com/t5/network-security/unable-to-connect-to-remote-device/m-p/2237694#M350429 Jouni Forss 2013-05-06T20:43:34Z https://community.cisco.com/t5/network-security/unable-to-connect-to-remote-device/m-p/2237695#M350430 <HTML><HEAD></HEAD><BODY><P>Mahesh,</P><P></P><P>Check these links which explains captures in detail:</P><P></P><P><A class="jive-link-wiki-small" href="https://community.cisco.com/docs/DOC-17345">https://supportforums.cisco.com/docs/DOC-17345</A></P><P></P><P><A class="jive-link-wiki-small" href="https://community.cisco.com/docs/DOC-17814">https://supportforums.cisco.com/docs/DOC-17814</A></P><P></P><P>-</P><P>Sourav</P></BODY></HTML> Mon, 06 May 2013 20:46:06 GMT https://community.cisco.com/t5/network-security/unable-to-connect-to-remote-device/m-p/2237695#M350430 sokakkar 2013-05-06T20:46:06Z https://community.cisco.com/t5/network-security/unable-to-connect-to-remote-device/m-p/2237696#M350431 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You can configure the capture with</P><P></P><P><STRONG>access-list CAPTURE permit ip host <X host=""> host <Y host=""></Y></X></STRONG></P><P><STRONG>access-list CAPTURE permit ip host <Y host=""> host <X host=""></X></Y></STRONG></P><P></P><P><STRONG>capture CAPTURE type raw-data access-list CAPTURE interface X buffer 5000000 circular-buffer</STRONG></P><P></P><P>You can use the command</P><P></P><P><STRONG>show capture</STRONG></P><P></P><P>To see if any traffic has hit the capture</P><P></P><P>You can use the command</P><P></P><P><STRONG>show capture CAPTURE</STRONG></P><P></P><P>To view the contents of the capture</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 06 May 2013 20:46:40 GMT https://community.cisco.com/t5/network-security/unable-to-connect-to-remote-device/m-p/2237696#M350431 Jouni Forss 2013-05-06T20:46:40Z https://community.cisco.com/t5/network-security/unable-to-connect-to-remote-device/m-p/2237697#M350432 <HTML><HEAD></HEAD><BODY><P>Hi Jouni,</P><P></P><P>We open two&nbsp; ports on ASA&nbsp; for user to access the remote device.</P><P>on one port connection is build and on other&nbsp; port as per user return traffic comes so thats why second&nbsp; port is needed.</P><P></P><P>Regards</P><P>Mahesh</P></BODY></HTML> Mon, 06 May 2013 20:48:19 GMT https://community.cisco.com/t5/network-security/unable-to-connect-to-remote-device/m-p/2237697#M350432 mahesh18 2013-05-06T20:48:19Z https://community.cisco.com/t5/network-security/unable-to-connect-to-remote-device/m-p/2237698#M350433 <HTML><HEAD></HEAD><BODY><P> Hi Jouni,</P><P></P><P>i will do that and will update you.</P><P></P><P>thanks</P><P>mahesh</P></BODY></HTML> Mon, 06 May 2013 20:49:34 GMT https://community.cisco.com/t5/network-security/unable-to-connect-to-remote-device/m-p/2237698#M350433 mahesh18 2013-05-06T20:49:34Z https://community.cisco.com/t5/network-security/unable-to-connect-to-remote-device/m-p/2237699#M350434 <HTML><HEAD></HEAD><BODY><P>Hi Jouni,</P><P></P><P>Tomorrow i will test with Packet capture as the access to device is not working can you tell me what info i should look into</P><P>when i run sh capture name?</P><P></P><P>As output can be long?</P><P></P><P>Thanks</P><P></P><P>MAhesh</P></BODY></HTML> Wed, 15 May 2013 01:04:29 GMT https://community.cisco.com/t5/network-security/unable-to-connect-to-remote-device/m-p/2237699#M350434 mahesh18 2013-05-15T01:04:29Z https://community.cisco.com/t5/network-security/unable-to-connect-to-remote-device/m-p/2237700#M350437 <HTML><HEAD></HEAD><BODY><P> Hi Jouni,</P><P></P><P>Issue is fixed now.</P><P>It was routing issue.</P><P></P><P>Regards</P><P></P><P>MAhesh</P></BODY></HTML> Thu, 16 May 2013 18:03:46 GMT https://community.cisco.com/t5/network-security/unable-to-connect-to-remote-device/m-p/2237700#M350437 mahesh18 2013-05-16T18:03:46Z