ASA 5510 8.4.2 error TCP Reset-I
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-25-2012 12:08 PM - edited 03-11-2019 04:11 PM
Hello,
I have WiFi device (host 10.6.16.21) which needs to connect to remote server (172.25.20.26 on TCP port 3613) over L2L VPN tunnel. I see that the device is attempting connection, but it is being reset:
%ASA-6-302014: Teardown TCP connection 21757966 for outside:172.26.20.25/3613 to inside:10.6.16.21/49164 duration 0:00:05 bytes 72 TCP Reset-I
I'm trying to find out what device is sending the reset packet and so I used packet capture on inside int:
capture in-cap interface inside match tcp host 10.6.16.21 host 172.26.20.25 eq 3613
Could you help me to understand why the session is being reset...below's the result of the packet capture:
sh capture in-cap
619 packets captured
1: 14:22:19.201008 172.26.20.25.3613 > 10.6.16.21.49276: P 3368582700:3368582748(48) ack 2542480154 win 65523
2: 14:22:21.960933 10.6.16.21.49277 > 172.26.20.25.3613: S 2543090958:2543090958(0) win 10000 <mss 1460,nop,wscale 0>
3: 14:22:21.988321 172.26.20.25.3613 > 10.6.16.21.49277: S 1222713806:1222713806(0) ack 2543090959 win 16384 <mss 1380,nop,wscale 0>
4: 14:22:21.996149 10.6.16.21.49277 > 172.26.20.25.3613: . ack 1222713807 win 10000
5: 14:22:22.023344 172.26.20.25.3613 > 10.6.16.21.49276: F 3368582748:3368582748(0) ack 2542480154 win 65523
6: 14:22:22.027769 172.26.20.25.3613 > 10.6.16.21.49277: P 1222713807:1222713819(12) ack 2543090959 win 65535
7: 14:22:22.029798 10.6.16.21.49276 > 172.26.20.25.3613: R 2542480154:2542480154(0) ack 3368582749 win 0
8: 14:22:22.032758 10.6.16.21.49277 > 172.26.20.25.3613: . ack 1222713819 win 9988
9: 14:22:22.034620 10.6.16.21.49277 > 172.26.20.25.3613: P 2543090959:2543090971(12) ack 1222713819 win 10000
10: 14:22:22.059719 172.26.20.25.3613 > 10.6.16.21.49277: P 1222713819:1222713867(48) ack 2543090959 win 65535
11: 14:22:22.063335 10.6.16.21.49277 > 172.26.20.25.3613: . ack 1222713867 win 9952
12: 14:22:22.216663 172.26.20.25.3613 > 10.6.16.21.49277: . ack 2543090971 win 65523
13: 14:22:27.727684 10.6.16.21.49278 > 172.26.20.25.3613: S 2544029455:2544029455(0) win 10000 <mss 1460,nop,wscale 0>
14: 14:22:27.755072 172.26.20.25.3613 > 10.6.16.21.49278: S 1364660650:1364660650(0) ack 2544029456 win 16384 <mss 1380,nop,wscale 0>
15: 14:22:27.758459 10.6.16.21.49278 > 172.26.20.25.3613: . ack 1364660651 win 10000
16: 14:22:27.786580 172.26.20.25.3613 > 10.6.16.21.49277: F 1222713867:1222713867(0) ack 2543090971 win 65523
17: 14:22:27.791737 10.6.16.21.49277 > 172.26.20.25.3613: R 2543090971:2543090971(0) ack 1222713868 win 0
18: 14:22:27.792897 172.26.20.25.3613 > 10.6.16.21.49278: P 1364660651:1364660663(12) ack 2544029456 win 65535
19: 14:22:27.796833 10.6.16.21.49278 > 172.26.20.25.3613: . ack 1364660663 win 9988
20: 14:22:27.800053 10.6.16.21.49278 > 172.26.20.25.3613: P 2544029456:2544029468(12) ack 1364660663 win 10000
21: 14:22:27.823733 172.26.20.25.3613 > 10.6.16.21.49278: P 1364660663:1364660711(48) ack 2544029456 win 65535
22: 14:22:27.827746 10.6.16.21.49278 > 172.26.20.25.3613: . ack 1364660711 win 9952
<--- More --->
23: 14:22:27.950085 172.26.20.25.3613 > 10.6.16.21.49278: . ack 2544029468 win 65523
24: 14:22:42.815204 172.26.20.25.3613 > 10.6.16.21.49278: P 1364660711:1364660715(4) ack 2544029468 win 65523
25: 14:22:44.757224 172.26.20.25.3613 > 10.6.16.21.49278: P 1364660711:1364660715(4) ack 2544029468 win 65523
26: 14:22:48.771322 172.26.20.25.3613 > 10.6.16.21.49278: P 1364660711:1364660715(4) ack 2544029468 win 65523
27: 14:22:56.717797 172.26.20.25.3613 > 10.6.16.21.49278: P 1364660711:1364660715(4) ack 2544029468 win 65523
28: 14:22:56.776235 10.6.16.21.49278 > 172.26.20.25.3613: R 2544029468:2544029468(0) ack 1364660716 win 0
29: 14:22:56.776266 172.26.20.25.3613 > 10.6.16.21.49278: P ack 2544029468 win 65523
30: 14:22:56.789784 10.6.16.21.49278 > 172.26.20.25.3613: R 2544029468:2544029468(0) ack 1364660716 win 0
31: 14:22:56.789815 172.26.20.25.3613 > 10.6.16.21.49278: P ack 2544029468 win 65523
32: 14:22:56.853517 10.6.16.21.49278 > 172.26.20.25.3613: R 2544029468:2544029468(0) ack 1364660716 win 0
33: 14:22:56.853547 172.26.20.25.3613 > 10.6.16.21.49278: P ack 2544029468 win 65523
34: 14:22:56.904341 10.6.16.21.49278 > 172.26.20.25.3613: R 2544029468:2544029468(0) ack 1364660716 win 0
35: 14:22:56.904372 172.26.20.25.3613 > 10.6.16.21.49278: P ack 2544029468 win 65523
36: 14:22:56.907439 10.6.16.21.49278 > 172.26.20.25.3613: R 2544029468:2544029468(0) ack 1364660716 win 0
37: 14:22:56.907469 172.26.20.25.3613 > 10.6.16.21.49278: P ack 2544029468 win 65523
Thank you,
forman
- Labels:
-
NGFW Firewalls

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-25-2012 12:54 PM
The reset seems to be sent by your wifi device:
7: 14:22:22.029798 10.6.16.21.49276 > 172.26.20.25.3613: R 2542480154:2542480154(0) ack 3368582749 win 0
So you might just need to verify why is it terminating the request. For a better understanding, download the packets in pcap format and view in wireshark
Thanks,
Varun Rao
Security Team,
Cisco TAC
Varun Rao
