https://community.cisco.com/t5/network-security/does-syn-timeout-always-tell-if-issue-is-at-remote-end/m-p/2021630#M396537 <HTML><HEAD></HEAD><BODY><P>On the other hand,</P><P></P><P>If looking from local problems, the only one I can think of right now (related to the ASA firewall) is that there is some problem with NAT. For example the connection is getting NATed to wrong NAT IP address which isnt either allowed at the remote end or the NAT IP isnt routable in the network where the connection is destined (For example L2L VPNs)</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 29 Oct 2012 19:18:07 GMT Jouni Forss 2012-10-29T19:18:07Z https://community.cisco.com/t5/network-security/does-syn-timeout-always-tell-if-issue-is-at-remote-end/m-p/2021624#M396526 <P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Hi Everyone,</P><P></P><P>If i see fw logs and it has SYN timeout does it always give us indication that issue is at remote end?</P><P>i was trying to open vendor site and fw log shows SYN timeout.</P><P></P><P>Does SYN timeout indicate if issue is Local site</P><P></P><P>Thanks</P><P>Mahesh</P> Tue, 12 Mar 2019 00:15:40 GMT https://community.cisco.com/t5/network-security/does-syn-timeout-always-tell-if-issue-is-at-remote-end/m-p/2021624#M396526 mahesh18 2019-03-12T00:15:40Z https://community.cisco.com/t5/network-security/does-syn-timeout-always-tell-if-issue-is-at-remote-end/m-p/2021625#M396528 <HTML><HEAD></HEAD><BODY><P>Hello Mahesh,</P><P></P><P>That log leads&nbsp; us to think the other host is not replying back to us or the SYN-ACK&nbsp; is getting lost on the internet,</P><P></P><P>You could run some captures on the ASA so to make sure you are not receiveing the SYN-ACK,</P><P></P><P>Regards,</P><P></P><P>Julio</P></BODY></HTML> Mon, 29 Oct 2012 18:41:19 GMT https://community.cisco.com/t5/network-security/does-syn-timeout-always-tell-if-issue-is-at-remote-end/m-p/2021625#M396528 Julio Carvajal 2012-10-29T18:41:19Z https://community.cisco.com/t5/network-security/does-syn-timeout-always-tell-if-issue-is-at-remote-end/m-p/2021626#M396529 <HTML><HEAD></HEAD><BODY><P> Hi Julio,</P><P></P><P>If other host is working ok then&nbsp; we should see&nbsp; syn ack&nbsp; in logs to confirm our connection is established with remote host right?</P><P></P><P>Thanks</P><P>Mahesh</P></BODY></HTML> Mon, 29 Oct 2012 19:00:55 GMT https://community.cisco.com/t5/network-security/does-syn-timeout-always-tell-if-issue-is-at-remote-end/m-p/2021626#M396529 mahesh18 2012-10-29T19:00:55Z https://community.cisco.com/t5/network-security/does-syn-timeout-always-tell-if-issue-is-at-remote-end/m-p/2021627#M396533 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Most of the cases (that I've run into) this has been an indication of problem at the remote end. (Well regarding the local firewall it can only be about some remote device since it doesnt see the SYN ACK)</P><P></P><P>Problems can be:</P><P></P><UL><LI>Connection is blocked by a remote firewall or firewall somewhere in between</LI><LI>Connection is blocked by the remote hosts own firewall (software)</LI><LI>Connections SYN arrives to the remote host but a routing problem exists which forward the SYN ACK in a wrong way.</LI><LI>Theres an outage in the remote end service you are trying to reach</LI><LI>Some other equipment is filtering the traffic in between</LI></UL><P></P><P>And as Julio said, packet capture is the best way to determine what is happening. You can do this either on ASA or straight on your own computer with Wireshark for example.</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 29 Oct 2012 19:03:29 GMT https://community.cisco.com/t5/network-security/does-syn-timeout-always-tell-if-issue-is-at-remote-end/m-p/2021627#M396533 Jouni Forss 2012-10-29T19:03:29Z https://community.cisco.com/t5/network-security/does-syn-timeout-always-tell-if-issue-is-at-remote-end/m-p/2021628#M396535 <HTML><HEAD></HEAD><BODY><P>The actual SYN ACK wont show in any firewall logs. Only in packet captures.</P><P></P><P>When the ASA firewall sees a SYN coming from the host initiating the connection it will show the log message starting with "Built outbound TCP connection......" (Provided the connection has been allowed by the firewall)</P><P></P><P>To see if the connection got a SYN ACK from the remote host you will need to check the connections state with "show conn" command for example.</P><P></P><P>You should see something like this</P><P></P><P>TCP WAN 173.x.x.x:443 LAN 10.0.0.10:49517, idle 0:00:15, bytes 45295, flags UIO</P><P></P><P>The flags at the end will tell you in the above case that the connection is U = UP, I = has inbound data, O = has outbound data.</P><P></P><P>To get more info about the different "flags" use the command "show conn detail". At the very start it will list all the "flags"</P><P></P><P>Also as you have seen the message "Teardown TCP connection...:." ending with SYN Timeout reason will tell you that the SYN ACK hasnt been received. The same can also be determined with "show conn" command. With a remote host not responding the flags will naturally be different from the above working situation.</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 29 Oct 2012 19:11:20 GMT https://community.cisco.com/t5/network-security/does-syn-timeout-always-tell-if-issue-is-at-remote-end/m-p/2021628#M396535 Jouni Forss 2012-10-29T19:11:20Z https://community.cisco.com/t5/network-security/does-syn-timeout-always-tell-if-issue-is-at-remote-end/m-p/2021629#M396536 <HTML><HEAD></HEAD><BODY><P>Hello Mahesh,</P><P></P><P>You should create captures to confirm if you are receiving the SYN-ack</P><P></P><P>capture capin interface inside match tcp host&nbsp; inside_local_ host _ip&nbsp; host&nbsp; outside_host_ip eq tcp_destination_port</P><P>capture capout interface outside match tcp host inside_global_host_ip host outside_host_ip eq tcp_destination_port</P><P></P><P></P><P>Regards,</P><P></P><P>Julio</P></BODY></HTML> Mon, 29 Oct 2012 19:15:03 GMT https://community.cisco.com/t5/network-security/does-syn-timeout-always-tell-if-issue-is-at-remote-end/m-p/2021629#M396536 Julio Carvajal 2012-10-29T19:15:03Z https://community.cisco.com/t5/network-security/does-syn-timeout-always-tell-if-issue-is-at-remote-end/m-p/2021630#M396537 <HTML><HEAD></HEAD><BODY><P>On the other hand,</P><P></P><P>If looking from local problems, the only one I can think of right now (related to the ASA firewall) is that there is some problem with NAT. For example the connection is getting NATed to wrong NAT IP address which isnt either allowed at the remote end or the NAT IP isnt routable in the network where the connection is destined (For example L2L VPNs)</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 29 Oct 2012 19:18:07 GMT https://community.cisco.com/t5/network-security/does-syn-timeout-always-tell-if-issue-is-at-remote-end/m-p/2021630#M396537 Jouni Forss 2012-10-29T19:18:07Z https://community.cisco.com/t5/network-security/does-syn-timeout-always-tell-if-issue-is-at-remote-end/m-p/2021631#M396538 <HTML><HEAD></HEAD><BODY><P> Hi Joulio &amp; Jouni,</P><P></P><P>You did very good explanation on&nbsp; SYN Timeout.</P><P>I confirmed with vendor that issue is at there side.</P><P></P><P>Best regards</P><P>Mahesh</P></BODY></HTML> Mon, 29 Oct 2012 19:33:46 GMT https://community.cisco.com/t5/network-security/does-syn-timeout-always-tell-if-issue-is-at-remote-end/m-p/2021631#M396538 mahesh18 2012-10-29T19:33:46Z