Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1404
Views
0
Helpful
1
Replies

Cisco FTD - TCP window size

ciscoworlds
Level 4
Level 4

‎07-13-2018 05:26 AM - edited ‎02-21-2020 07:59 AM

Hi.

I'm trying to setup Remote Access VPN on Cisco FTD 6.2.2. Client (192.168.55.202) can ping IP address on FTD (gig 0/1.509 - 192.168.59.3) but cannot reach the HTTPS web page while using https://192.168.59.3 address on its browser. 

I captured traffic coming into g0/1.509 and saw "ACK" packets sent by FTD to the clients had TCP windows of "0"

 

> show capture ab

24 packets captured

   1: 11:29:25.297988       802.1Q vlan#509 P0 192.168.55.202.49222 > 192.168.59.3.443: SWE 3183334073:3183334073(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> 
   2: 11:29:25.298400       802.1Q vlan#509 P0 192.168.59.3.443 > 192.168.55.202.49222: R 1075841815:1075841815(0) ack 3183334074 win 0 
   3: 11:29:25.552721       802.1Q vlan#509 P0 192.168.55.202.49223 > 192.168.59.3.443: SWE 319363783:319363783(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> 
   4: 11:29:25.553071       802.1Q vlan#509 P0 192.168.59.3.443 > 192.168.55.202.49223: R 1513781485:1513781485(0) ack 319363784 win 0 
   5: 11:29:25.817767       802.1Q vlan#509 P0 192.168.55.202.49222 > 192.168.59.3.443: S 3183334073:3183334073(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> 
   6: 11:29:25.818088       802.1Q vlan#509 P0 192.168.59.3.443 > 192.168.55.202.49222: R 579879347:579879347(0) ack 3183334074 win 0 
   7: 11:29:26.052212       802.1Q vlan#509 P0 192.168.55.202.49223 > 192.168.59.3.443: S 319363783:319363783(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> 
   8: 11:29:26.052411       802.1Q vlan#509 P0 192.168.59.3.443 > 192.168.55.202.49223: R 30586601:30586601(0) ack 319363784 win 0 
   9: 11:29:26.333204       802.1Q vlan#509 P0 192.168.55.202.49222 > 192.168.59.3.443: S 3183334073:3183334073(0) win 8192 <mss 1460,nop,nop,sackOK> 
  10: 11:29:26.333494       802.1Q vlan#509 P0 192.168.59.3.443 > 192.168.55.202.49222: R 650331663:650331663(0) ack 3183334074 win 0 
  11: 11:29:26.567887       802.1Q vlan#509 P0 192.168.55.202.49223 > 192.168.59.3.443: S 319363783:319363783(0) win 8192 <mss 1460,nop,nop,sackOK> 
  12: 11:29:26.568162       802.1Q vlan#509 P0 192.168.59.3.443 > 192.168.55.202.49223: R 1704384677:1704384677(0) ack 319363784 win 0 
  13: 11:29:31.922529       802.1Q vlan#509 P0 192.168.55.202.49224 > 192.168.59.3.443: SWE 848814265:848814265(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> 
  14: 11:29:31.922910       802.1Q vlan#509 P0 192.168.59.3.443 > 192.168.55.202.49224: R 1690393121:1690393121(0) ack 848814266 win 0 
  15: 11:29:32.178182       802.1Q vlan#509 P0 192.168.55.202.49225 > 192.168.59.3.443: SWE 3493445219:3493445219(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>

 

As I know the TCP windows zero resets the connection to that IP address so the client cannot send another packets while TCP window size equals "zero". 

I waited 2 days, but it shows the same "zero" value as window size. Is this a bug or what?

Labels:
0 Helpful
1 Reply 1

ciscoworlds
Level 4
Level 4

‎07-18-2018 04:46 AM - edited ‎07-18-2018 06:59 AM

I did another capture in detail and found that the FTD sends TCP ACK messages with RST flag and window size of "0". RST flag means that FTD doesn't accept incoming HTTPS request destined to its sub-interface on which Remote Access VPN has been setup. I ran some debug commands (including "debug webvpn", "debug http", debug crypto" and some others) and tried to establish HTTPS connection again to the FTD, There are continues logs like this:

 

%ASA-7-609001: Built local-host FTD-509:172.16.100.10

%ASA-7-609001: Built local-host nlp_int_tap:169.254.1.2

%ASA-7-609002: Teardown local-host FTD-509:172.16.100.10 duration 0:00:00

%ASA-7-609002: Teardown local-host nlp_int_tap:169.254.1 duration 0:00:00

%ASA-7-609001: Built local-host FTD-509:172.16.100.10

%ASA-7-609001: Built local-host nlp_int_tap:169.254.1.2

 

172.16.100.10 is the ip address of the client who tried to establish HTTPS connection with ASA FTD-509 subinterface (ip address: 192.168.59.3).

 

I restarted FTD and client but nothing changed. Even on FMC I tried to unassign the Remote Access policy from the FTD, but after deploying the changes, all (or most of) of the configs (like tunnel groups, IKE policies, webvpn, etc) were still exist on the FTD running-config! Doesn't unassigning a policy remove the related configs on FTD?!

Any idea about what would be the reason behind these issues?

 

1. Why ASA FTD doesn't accept incoming HTTPS to its sub-interface configured for remote access vpn? (I'm going to upload screen shots of the FMC to the cloud and u can find them here).

 

2. Why unassigning a configuration (a policy) from a device, doesn't remove the related configuration from that device?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card