Solved: Re: Deny TCP (no connection) from inside to inside

jordipuig · ‎09-03-2013

Hi, I have a communication problem between 2 servers that are behind a firewall.

I'm trying to connect from one to the other through TCP 3306 port and, after a lot of system configuration checks and tests, I found the following records in ASA debug console:

Built inbound TCP connection 8762504 for Inside:192.168.254.16/41623 (192.168.254.16/41623) to Inside:192.168.254.13/3306 (192.168.254.13/3306)

Teardown TCP connection 8762504 for Inside:192.168.254.16/41623 to Inside:192.168.254.13/3306 duration 0:00:00 bytes 0 TCP Reset-O

Deny TCP (no connection) from 192.168.254.16/41623 to 192.168.254.13/3306 flags RST on interface Inside

I found a possible solution in a post, telling to run the command:

sysopt connection timewait

And I tried it. I still cannot connect, but I don't receive the (no connection) message any more:

Built inbound TCP connection 8756080 for Inside:192.168.254.16/41622 (192.168.254.16/41622) to Inside:192.168.254.13/3306 (192.168.254.13/3306)

Teardown TCP connection 8756080 for Inside:192.168.254.16/41622 to Inside:192.168.254.13/3306 duration 0:00:24 bytes 0 SYN Timeout

Few considerations:

Source server: 192.168.254.16

Destination server: 192.168.254.13

Both servers behind the ASA 5510, connected through a switch and with the ASA inside IP as gateway.

The server 192.168.254.13:3306 is accessible from remote vpn connections without any problems.

This cannot be a missconfiguration in the source server, cause I tried to connect to the destination server from another server in the LAN and it doesn't work too.

Thanks for your help!

Jouni Forss · ‎09-03-2013

Hi,

My first question would be why the ASA would even see the connection forming between 2 hosts that are in the same subnet? The hosts should not send any traffic to the ASA but send it directly to eachother after they have used ARP to determine the MAC address of the destination host.

So there is something strange with the setup.

Or if they happened to be in 2 different subnets it would still be strange as they should most likely communicate through some router behind the "inside" interface of ASA.

- Jouni

View solution in original post

Jouni Forss · ‎09-03-2013

Hi,

My first question would be why the ASA would even see the connection forming between 2 hosts that are in the same subnet? The hosts should not send any traffic to the ASA but send it directly to eachother after they have used ARP to determine the MAC address of the destination host.

So there is something strange with the setup.

Or if they happened to be in 2 different subnets it would still be strange as they should most likely communicate through some router behind the "inside" interface of ASA.

- Jouni

jordipuig · ‎09-03-2013

Hi Jouni,

Thanks, you guide me through the right way.

I added the arp entries manually on both servers, and nothing.

But I realised that broadcast address wasn't properly configurated in the soruce server.

After fixing that, the both servers can communicate correctly adn the ASA is no loger receiveing that transmission.

Yesterday I have been looking for a solution all the day, but I had the same issue from 2 servers and seeing that events in the ASA, I thought it was related to it.

Thanks for your help!

Jouni Forss · ‎09-03-2013

Hi,

Glad to hear you got it working

Are you saying that there was a missconfigured subnet mask on the other server? That would atleast explain why ASA might be seeing the traffic as the other host though the destination IP address wasnt part of its local network.

- Jouni