https://community.cisco.com/t5/network-security/teardown-tcp-connection-0-syn-timeout/m-p/3414920#M950949 <P>Hello everyone:</P> <P>I am pretty new and I am becoming crazy with something is suposed to be easy, so thanks in advance.</P> <P>I´ll try to explain the scenario:</P> <P>We have a business lan with ip range (10.154.X.X/22 ) and wireless lan(192.168.2.0/24)&nbsp;</P> <P>This environment is connected to a Cisco ASA firewall 1</P> <P>This cisco ASA is connected with ip 172.16.1.100 in the outside interface to a dummy switch</P> <P>this switch is connected to a secondary firewall 2 with outside ip 172.16.1.1</P> <P>in the inside interface the IP is 190.167.0.1</P> <P>in this last LAN we have a Webserver with IP 190.16.0.34</P> <P>&nbsp;</P> <P>-----Business LAN----- FIREWALL1--(172.16.1.100)----------SWITCH-----------(172.16.1.1)--FIREWALL2--(190.167.0.1)--------WEBSERVER(190.167.0.34)</P> <P>&nbsp;</P> <P>Unfortunately the Webserver was designed in an isolated environement and the IP is public, that is why there is a NAT in Firewall 1 to translate 10.154.X.97 to 190.167.0.34</P> <P>The Wireless network (192.168.2.0) works fine and is able to see the webserver using the NAT address (10.154.X.97) but unfortunately Wired network is not able to reach the webserver or even ping it. I receive the following&nbsp; traces:</P> <TABLE> <TBODY> <TR> <TD> <P>6&nbsp;&nbsp; &nbsp;Jul 12 2018&nbsp;&nbsp; &nbsp;20:10:57&nbsp;&nbsp;&nbsp;</P> </TD> <TD> <P>&nbsp;10.154.X.X &nbsp;&nbsp; 51394&nbsp;&nbsp; &nbsp;190.167.0.34&nbsp;&nbsp; &nbsp;443&nbsp;&nbsp; &nbsp;Built inbound TCP connection 219863 for outside:10.154.X.X/51394 (10.154.X.X/51394) to PlantLan:190.167.0.34/443 (190.167.0.34/443)</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <TABLE> <TBODY> <TR> <TD> <P>6&nbsp;&nbsp; &nbsp;Jul 12 2018&nbsp;&nbsp; &nbsp;20:11:06&nbsp;&nbsp;&nbsp;</P> </TD> <TD> <P>&nbsp;10.154.X.X&nbsp;&nbsp;&nbsp; 51392&nbsp;&nbsp; &nbsp;190.167.0.34&nbsp;&nbsp; &nbsp;443&nbsp;&nbsp; &nbsp;Teardown TCP connection 219862 for outside:10.154.X.X/51392 to PlantLan:190.167.0.34/443 duration 0:00:30 bytes 0 SYN Timeout</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>I am using ASDM so if you want me to write any command in CLI just tell me what to write.</P> <P>&nbsp;</P> <P>THANKS SO MUCH IN ADVACE</P> <P>&nbsp;</P> Fri, 21 Feb 2020 15:58:45 GMT Alfonsoj 2020-02-21T15:58:45Z https://community.cisco.com/t5/network-security/teardown-tcp-connection-0-syn-timeout/m-p/3414920#M950949 <P>Hello everyone:</P> <P>I am pretty new and I am becoming crazy with something is suposed to be easy, so thanks in advance.</P> <P>I´ll try to explain the scenario:</P> <P>We have a business lan with ip range (10.154.X.X/22 ) and wireless lan(192.168.2.0/24)&nbsp;</P> <P>This environment is connected to a Cisco ASA firewall 1</P> <P>This cisco ASA is connected with ip 172.16.1.100 in the outside interface to a dummy switch</P> <P>this switch is connected to a secondary firewall 2 with outside ip 172.16.1.1</P> <P>in the inside interface the IP is 190.167.0.1</P> <P>in this last LAN we have a Webserver with IP 190.16.0.34</P> <P>&nbsp;</P> <P>-----Business LAN----- FIREWALL1--(172.16.1.100)----------SWITCH-----------(172.16.1.1)--FIREWALL2--(190.167.0.1)--------WEBSERVER(190.167.0.34)</P> <P>&nbsp;</P> <P>Unfortunately the Webserver was designed in an isolated environement and the IP is public, that is why there is a NAT in Firewall 1 to translate 10.154.X.97 to 190.167.0.34</P> <P>The Wireless network (192.168.2.0) works fine and is able to see the webserver using the NAT address (10.154.X.97) but unfortunately Wired network is not able to reach the webserver or even ping it. I receive the following&nbsp; traces:</P> <TABLE> <TBODY> <TR> <TD> <P>6&nbsp;&nbsp; &nbsp;Jul 12 2018&nbsp;&nbsp; &nbsp;20:10:57&nbsp;&nbsp;&nbsp;</P> </TD> <TD> <P>&nbsp;10.154.X.X &nbsp;&nbsp; 51394&nbsp;&nbsp; &nbsp;190.167.0.34&nbsp;&nbsp; &nbsp;443&nbsp;&nbsp; &nbsp;Built inbound TCP connection 219863 for outside:10.154.X.X/51394 (10.154.X.X/51394) to PlantLan:190.167.0.34/443 (190.167.0.34/443)</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <TABLE> <TBODY> <TR> <TD> <P>6&nbsp;&nbsp; &nbsp;Jul 12 2018&nbsp;&nbsp; &nbsp;20:11:06&nbsp;&nbsp;&nbsp;</P> </TD> <TD> <P>&nbsp;10.154.X.X&nbsp;&nbsp;&nbsp; 51392&nbsp;&nbsp; &nbsp;190.167.0.34&nbsp;&nbsp; &nbsp;443&nbsp;&nbsp; &nbsp;Teardown TCP connection 219862 for outside:10.154.X.X/51392 to PlantLan:190.167.0.34/443 duration 0:00:30 bytes 0 SYN Timeout</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>I am using ASDM so if you want me to write any command in CLI just tell me what to write.</P> <P>&nbsp;</P> <P>THANKS SO MUCH IN ADVACE</P> <P>&nbsp;</P> Fri, 21 Feb 2020 15:58:45 GMT https://community.cisco.com/t5/network-security/teardown-tcp-connection-0-syn-timeout/m-p/3414920#M950949 Alfonsoj 2020-02-21T15:58:45Z https://community.cisco.com/t5/network-security/teardown-tcp-connection-0-syn-timeout/m-p/3414962#M950952 <P>I would recommend using packet-tracers and captures to figure out where the problem is. Run the following packet-tracer commands on both Firewalls:</P> <P>&nbsp;</P> <P>packet-tracer input&nbsp;<SPAN>PlantLan tcp 10.154.x.x 51394&nbsp;190.167.0.34 443 detailed</SPAN></P> <P>&nbsp;</P> <P><SPAN>Also apply captures similar to this on inside and outside interface when you are testing with actual traffic:</SPAN></P> <P>&nbsp;</P> <P><SPAN>capture capi interface PlantLan match ip host 10.154.x.x&nbsp;host 190.167.0.34</SPAN></P> <P><SPAN>capture capo interface outside match ip host&nbsp;10.154.x.x host 190.167.0.34 ( change the source for Firewall2 to NAT ip address)</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> Thu, 12 Jul 2018 20:26:25 GMT https://community.cisco.com/t5/network-security/teardown-tcp-connection-0-syn-timeout/m-p/3414962#M950952 Rahul Govindan 2018-07-12T20:26:25Z