cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


330
Views
0
Helpful
1
Replies
Highlighted
Enthusiast

Cisco FTD - TCP window size

Hi.

I'm trying to setup Remote Access VPN on Cisco FTD 6.2.2. Client (192.168.55.202) can ping IP address on FTD (gig 0/1.509 - 192.168.59.3) but cannot reach the HTTPS web page while using https://192.168.59.3 address on its browser. 

I captured traffic coming into g0/1.509 and saw "ACK" packets sent by FTD to the clients had TCP windows of "0"

 

> show capture ab

24 packets captured

   1: 11:29:25.297988       802.1Q vlan#509 P0 192.168.55.202.49222 > 192.168.59.3.443: SWE 3183334073:3183334073(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> 
   2: 11:29:25.298400       802.1Q vlan#509 P0 192.168.59.3.443 > 192.168.55.202.49222: R 1075841815:1075841815(0) ack 3183334074 win 0 
   3: 11:29:25.552721       802.1Q vlan#509 P0 192.168.55.202.49223 > 192.168.59.3.443: SWE 319363783:319363783(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> 
   4: 11:29:25.553071       802.1Q vlan#509 P0 192.168.59.3.443 > 192.168.55.202.49223: R 1513781485:1513781485(0) ack 319363784 win 0 
   5: 11:29:25.817767       802.1Q vlan#509 P0 192.168.55.202.49222 > 192.168.59.3.443: S 3183334073:3183334073(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> 
   6: 11:29:25.818088       802.1Q vlan#509 P0 192.168.59.3.443 > 192.168.55.202.49222: R 579879347:579879347(0) ack 3183334074 win 0 
   7: 11:29:26.052212       802.1Q vlan#509 P0 192.168.55.202.49223 > 192.168.59.3.443: S 319363783:319363783(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> 
   8: 11:29:26.052411       802.1Q vlan#509 P0 192.168.59.3.443 > 192.168.55.202.49223: R 30586601:30586601(0) ack 319363784 win 0 
   9: 11:29:26.333204       802.1Q vlan#509 P0 192.168.55.202.49222 > 192.168.59.3.443: S 3183334073:3183334073(0) win 8192 <mss 1460,nop,nop,sackOK> 
  10: 11:29:26.333494       802.1Q vlan#509 P0 192.168.59.3.443 > 192.168.55.202.49222: R 650331663:650331663(0) ack 3183334074 win 0 
  11: 11:29:26.567887       802.1Q vlan#509 P0 192.168.55.202.49223 > 192.168.59.3.443: S 319363783:319363783(0) win 8192 <mss 1460,nop,nop,sackOK> 
  12: 11:29:26.568162       802.1Q vlan#509 P0 192.168.59.3.443 > 192.168.55.202.49223: R 1704384677:1704384677(0) ack 319363784 win 0 
  13: 11:29:31.922529       802.1Q vlan#509 P0 192.168.55.202.49224 > 192.168.59.3.443: SWE 848814265:848814265(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> 
  14: 11:29:31.922910       802.1Q vlan#509 P0 192.168.59.3.443 > 192.168.55.202.49224: R 1690393121:1690393121(0) ack 848814266 win 0 
  15: 11:29:32.178182       802.1Q vlan#509 P0 192.168.55.202.49225 > 192.168.59.3.443: SWE 3493445219:3493445219(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> 

 

As I know the TCP windows zero resets the connection to that IP address so the client cannot send another packets while TCP window size equals "zero". 

I waited 2 days, but it shows the same "zero" value as window size. Is this a bug or what?

1 REPLY 1
Enthusiast

Re: Cisco FTD - TCP window size

I did another capture in detail and found that the FTD sends TCP ACK messages with RST flag and window size of "0". RST flag means that FTD doesn't accept incoming HTTPS request destined to its sub-interface on which Remote Access VPN has been setup. I ran some debug commands (including "debug webvpn", "debug http", debug crypto" and some others) and tried to establish HTTPS connection again to the FTD, There are continues logs like this:

 

%ASA-7-609001: Built local-host FTD-509:172.16.100.10

%ASA-7-609001: Built local-host nlp_int_tap:169.254.1.2

%ASA-7-609002: Teardown local-host FTD-509:172.16.100.10 duration 0:00:00

%ASA-7-609002: Teardown local-host nlp_int_tap:169.254.1 duration 0:00:00

%ASA-7-609001: Built local-host FTD-509:172.16.100.10

%ASA-7-609001: Built local-host nlp_int_tap:169.254.1.2

 

172.16.100.10 is the ip address of the client who tried to establish HTTPS connection with ASA FTD-509 subinterface (ip address: 192.168.59.3).

 

I restarted FTD and client but nothing changed. Even on FMC I tried to unassign the Remote Access policy from the FTD, but after deploying the changes, all (or most of) of the configs (like tunnel groups, IKE policies, webvpn, etc) were still exist on the FTD running-config! Doesn't unassigning a policy remove the related configs on FTD?!

Any idea about what would be the reason behind these issues?

 

1. Why ASA FTD doesn't accept incoming HTTPS to its sub-interface configured for remote access vpn? (I'm going to upload screen shots of the FMC to the cloud and u can find them here).

 

2. Why unassigning a configuration (a policy) from a device, doesn't remove the related configuration from that device?