Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4913
Views
0
Helpful
1
Replies

Tear down TCP connection

John Eze
Level 1
Level 1

‎04-09-2017 04:45 AM - edited ‎03-12-2019 02:12 AM

Hello Guy,

 I recently set up a Cisco ASA 9.x for a finical institution in the New DC and because theis project still on the implementation phase i yet to implement any form restriction on the ASA.

I have no VPN,NAT connection on the ASA. i have allowed traffic between zones on the asa by permitting ip any any on my inside interface.

Since the project still in a migration phase asked we are passing traffic from the serverfarm on the inside zone (successfully migrated servers from the old DC to the New DC). 

The Serverfarm is protected by a Palo Alot fw which also is also in a pass through mode so all out and inbound connection is allowed.

 

The migration plane is to have a connection on the ASA located on the new DC to the old network terminated on a 6509 (core of the old DC) of the finical institution.

 

The old network still holds the route to in-country branches and also Affiliates which are located to the outside the country through a VPN tunnel and also it’s the internet breakaway for the network.

 

I have established full connectivity between the New and old network and also to the Branches, Affiliates through the static Route on the ASA pointing to 6509 (core of the old DC) connection.

 

My challenge is when servers from the New DC try to establish TCP connections between host  on the inside to the Old DC it build the connection then tear it dowm

 

So the ASA sends the SNY across but the ACK so it Tears down the connection

 

 

5# sh log | i  10.2.173.29

%ASA-6-302014: Teardown TCP connection 290051329 for Old-Net:10.2.173.29/3306 to inside:10.4.176.173/34610 duration 0:00:00 bytes 0 TCP Reset-O

%ASA-6-302014: Teardown TCP connection 290051332 for Old-Net:10.2.173.29/3306 to inside:10.4.176.173/34611 duration 0:00:00 bytes 0 TCP Reset-O

%ASA-6-302014: Teardown TCP connection 290051335 for Old-Net:10.2.173.29/3306 to inside:10.4.176.173/34612 duration 0:00:00 bytes 0 TCP Reset-O

%ASA-7-609002: Teardown local-host Ecobank:10.2.173.29 duration 0:00:00

Sh route 10.2.173.29

Routing entry for 10.2.0.0 255.255.0.0

  Known via "static", distance 1, metric 0

  Routing Descriptor Blocks:

  * 10.3.201.134, via Old-Net

      Route metric is 0, traffic share count is 1

sh asp drop

Frame drop:

  Invalid TCP Length (invalid-tcp-hdr-length)                                  4

  Invalid UDP Length (invalid-udp-length)                                      4

  No valid adjacency (no-adjacency)                                       839971

  No route to host (no-route)                                           13110842

  Reverse-path verify failed (rpf-violated)                                   98

  Flow is denied by configured rule (acl-drop)                            609829

  First TCP packet not SYN (tcp-not-syn)                                 2044354

  Bad TCP flags (bad-tcp-flags)                                                1

  TCP failed 3 way handshake (tcp-3whs-failed)                            303376

  TCP RST/FIN out of order (tcp-rstfin-ooo)                              1331302

  TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                            60

  TCP packet SEQ past window (tcp-seq-past-win)                             1973

  TCP invalid ACK (tcp-invalid-ack)                                           24

  TCP Out-of-Order packet buffer full (tcp-buffer-full)                      278

  TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout)              59731

  TCP RST/SYN in window (tcp-rst-syn-in-win)                                 452

  TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue)                 236

  TCP packet failed PAWS test (tcp-paws-fail)                                 89

  Connection limit reached (conn-limit)                                        3

  Slowpath security checks failed (sp-security-failed)                     15798

  Expired flow (flow-expired)                                                  3

  ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn)                                     3

  DNS Inspect invalid domain label (inspect-dns-invalid-domain-label)          2

  DNS Inspect packet too long (inspect-dns-pak-too-long)                      23

  DNS Inspect id not matched (inspect-dns-id-not-matched)                   2683

  FP L2 rule drop (l2_acl)                                                785152

  Unable to obtain connection lock (connection-lock)                           1

  Interface is down (interface-down)                                         991

  Dropped pending packets in a closed socket (np-socket-closed)             8868

 

Last clearing: Never

 

Flow drop:

  Inspection failure (inspect-fail)                                        18590

Labels:
0 Helpful
1 Reply 1

ajay chauhan
Level 7
Level 7

‎04-09-2017 08:01 AM

TCP Reset-O meaning means that the firewall saw a RST packet come from the outside host.  At this point the firewall will remove the connection from its connection table and no further packets will pass.  This should be investigated on outside host.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card