ASA 5510 TCP Connection was deleted

johnnys01 · ‎10-27-2013

Hi

I have a problem when accessing a certain website..When i go to the Real Time Log Viewer this is the entry i Find for that specific Website/IP..

I can Acces the website when not going through the Firewall..and from my Mailserver which is NATed to a Public IP which goes throug the same Firewall..

I am not sure on which reason i should be looking at..

Thank You

A TCP connection between two hosts was deleted. The following list describes the message values:

• id —A unique identifier

• interface, real-address, real-port—The actual socket

• duration—The lifetime of the connection

• bytes—The data transfer of the connection

• user—The AAA name of the user

• reason—The action that causes the connection to terminate. Set the reason variable to one of the TCP termination reasons listed in Table 1-3.

Table 1-3 TCP Termination Reasons
Reason	Description
Conn-timeout	Connection ended because it was idle longer than the configured idle timeout.
Deny Terminate	Flow was terminated by application inspection.
Failover primary closed	The standby unit in a failover pair deleted a connection because of a message received from the active unit.
FIN Timeout	Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.
Flow closed by inspection	Flow was terminated by inspection feature.
Flow terminated by IPS	Flow was terminated by IPS.
Flow reset by IPS	Flow was reset by IPS.
Flow terminated by TCP Intercept	Flow was terminated by TCP Intercept.
Flow timed out	Flow has timed out.
Flow timed out with reset	Flow has timed out, but was reset.
Invalid SYN	SYN packet not valid.
Idle Timeout	Connection timed out because it was idle longer than timeout value.
IPS fail-close	Flow was terminated due to IPS card down.
Pinhole Timeout	Counter is incremented to report that the appliance opened a secondary flow, but no packets passed through this flow within the timeout interval, and hence it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.
SYN Control	Back channel initiation from wrong side.
SYN Timeout	Force termination after 30 seconds awaiting three-way handshake completion.
TCP bad retransmission	Connection terminated because of bad TCP retransmission.
TCP FINs	Normal close down sequence.
TCP Invalid SYN	Invalid TCP SYN packet.
TCP Reset-I	Reset was from the inside.
TCP Reset-O	Reset was from the outside.
TCP segment partial overlap	Detected a partially overlapping segment.
TCP unexpected window size variation	Connection terminated due to variation in the TCP window size.
Tunnel has been torn down	Flow terminated because tunnel is down.
Unauth Deny	Denied by URL filter.
Unknown	Catch-all error.
Xlate Clear	Command-line removal.

Jouni Forss · ‎10-28-2013

Hi,

Are you saying that you are getting some log message about the connection that doesnt go through? If so can you post us the log message (you can remove any public IP addresses in the log messages)

Or are you saying that you want to know what to look for in the logs to determine the reason the connection is dropped?

I would suggest using the "packet-tracer" command to simulate the connection attempt.. This would tell which rules/configurations the packet matches on the firewall.

As I dont know your configuration I can only give a general example

packet-tracer input tcp 12345 80

Could you insert to the above command the correct information and post the output of the command here. Remember to remove any public IP addresses from your post.

- Jouni

johnnys01 · ‎10-28-2013

Hi Jouni

Thanks for the help here is the output you asked for....It seems to look ok but stll cannot access this one Webite fm behind the FW..I can ping and do a tracert but cannot open it..im baffled as it still seems to me something on FW is droping the connection..

Thnx Johnny

MMHS-WILMED-FW# packet-tracer input inside tcp 192.168.200.11 www xxx.xxx.xxx.$

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group INSIDE_INTERFACE in interface inside

access-list INSIDE_INTERFACE extended permit tcp any any eq www

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 14705252, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

MMHS-WILMED-FW#

johnnys01 · ‎10-28-2013

Jouni this is the Output i get when changing input to "outside"..

MMHS-WILMED-FW# packet-tracer input outside tcp 192.168.200.11 www xxx.xxx.xxx$

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Jouni Forss · ‎10-28-2013

Hi,

Have you been able to check why the source host is not getting any NAT/PAT translation for its connection attempt?

- Jouni

johnnys01 · ‎10-28-2013

Hi like you said there are no NAT/PAT rules set up on the FW/

I have added NAT rule to test but still no luck..

MMHS-WILMED-FW# packet-tracer input inside tcp 192.168.200.34 www xx.xx.xx.$

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group INSIDE_INTERFACE in interface inside

access-list INSIDE_INTERFACE extended permit ip any any

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab93f850, priority=12, domain=permit, deny=false

hits=13401288, user_data=0xa89f67c0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab7f7740, priority=0, domain=permit-ip-option, deny=true

hits=14102309, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

static (inside,outside) tcp 196.xx.xx.xx www 192.168.200.34 www netmask 255.255.255.255

match tcp inside host 192.168.200.34 eq 80 outside any

static translation to 196.xx.xx.xx/80

translate_hits = 3, untranslate_hits = 0

Additional Information:

Static translate 192.168.200.34/80 to 196.xx.xx.xx/80 using netmask 255.255.255.255

Forward Flow based lookup yields rule:

in id=0xac1bc5f0, priority=5, domain=nat, deny=false

hits=2, user_data=0xabef8a00, cs_id=0x0, flags=0x0, protocol=6

src ip=192.168.200.34, mask=255.255.255.255, port=80

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) tcp 196.xx.xx.xx www 192.168.200.34 www netmask 255.255.255.255

match tcp inside host 192.168.200.34 eq 80 outside any

static translation to 196.xx.xx.xx/80

translate_hits = 3, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in id=0xac444e80, priority=5, domain=host, deny=false

hits=288, user_data=0xabef8a00, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=192.168.200.34, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xab7b1140, priority=0, domain=permit-ip-option, deny=true

hits=14357716, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 14795205, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

johnnys01 · ‎10-28-2013

Here is the FW Config

ASA Version 8.2(1)

!

hostname MMHS-WILMED-FW

domain-name

enable password gvpDMPM3vsM7wX0g encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 172.1.1.9 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.1.1.2 255.255.255.248

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 255.255.255.248

!

interface Ethernet0/3

nameif internet

security-level 0

ip address 10.20.20.1 255.255.255.248

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone SAST 2

dns server-group DefaultDNS

domain-name xxxx

object-group service KotiePienaar tcp-udp

description Pienaa program

port-object eq 1235

port-object eq 1236

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list INSIDE_INTERFACE extended permit tcp host 192.168.200.9 any eq smtp

access-list INSIDE_INTERFACE extended permit tcp host 192.168.200.30 any eq smtp

access-list INSIDE_INTERFACE extended deny tcp any any eq smtp

access-list INSIDE_INTERFACE extended permit tcp any any eq www

access-list INSIDE_INTERFACE extended permit tcp any any eq https

access-list INSIDE_INTERFACE extended deny ip any host inactive

access-list INSIDE_INTERFACE extended deny ip any host

access-list INSIDE_INTERFACE extended deny object-group TCPUDP any any eq 29239

access-list INSIDE_INTERFACE extended permit ip any any

access-list INSIDE_INTERFACE extended permit icmp any any echo-reply

access-list INSIDE_INTERFACE extended permit icmp any any source-quench

access-list INSIDE_INTERFACE extended permit icmp any any unreachable

access-list INSIDE_INTERFACE extended permit icmp any any time-exceeded

access-list outside extended permit tcp any host 192.168.200.9 eq smtp

access-list outside extended deny tcp any any eq smtp

access-list outside extended permit ip any host

access-list outside extended permit tcp any host 196.168.200.9 eq www

access-list outside extended permit tcp any host 192.168.200.9 eq https

access-list outside extended permit icmp any any echo-reply

access-list outside extended permit icmp any any source-quench

access-list outside extended permit icmp any any unreachable

access-list outside extended permit icmp any any time-exceeded

access-list dmz_access_in extended permit ip any any

access-list OUTBOUND_MAIL extended permit tcp any host 192.168.200.9 eq smtp

access-list OUTBOUND_MAIL extended deny tcp any any eq smtp

access-list OUTBOUND_MAIL extended permit ip any host

access-list OUTBOUND_MAIL extended permit tcp any host 192.168.200.9 eq www

access-list OUTBOUND_MAIL extended permit tcp any host 192.168.200.9 eq https

access-list OUTBOUND_MAIL extended permit icmp any any echo-reply

access-list OUTBOUND_MAIL extended permit icmp any any source-quench

access-list OUTBOUND_MAIL extended permit icmp any any unreachable

access-list OUTBOUND_MAIL extended permit icmp any any time-exceeded

access-list 100 extended permit icmp any any echo-reply

!

tcp-map Map1

queue-limit 200 timeout 10

reserved-bits clear

synack-data allow

invalid-ack allow

seq-past-window allow

tcp-options range 9 255 allow

urgent-flag allow

!

pager lines 24

logging enable

logging list test level emergencies

logging buffered debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu internet 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-621.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

global (internet) 1 interface

access-group OUTBOUND_MAIL in interface outside

access-group INSIDE_INTERFACE in interface inside

access-group dmz_access_in in interface dmz

!

router rip

network 10.0.0.0

network 172.1.0.0

default-information originate

version 2

no auto-summary

!

route outside 0.0.0.0 0.0.0.0 172.1.1.10 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 inside

http 192.168.200.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 192.168.200.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

!

no threat-detection basic-threat

threat-detection scanning-threat shun except ip-address 192.168.197.0 255.255.255.0

threat-detection scanning-threat shun except ip-address 192.168.198.2 255.255.255.255

threat-detection scanning-threat shun except ip-address 192.168.200.34 255.255.255.255

threat-detection scanning-threat shun except ip-address 192.168.200.3 255.255.255.255

threat-detection scanning-threat shun except ip-address 192.168.200.5 255.255.255.255

threat-detection scanning-threat shun except ip-address 192.168.200.7 255.255.255.255

threat-detection scanning-threat shun except ip-address 192.168.200.9 255.255.255.255

threat-detection scanning-threat shun duration 300

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username password xZKuL1o9jZHll3io encrypted privilege 15

usernam password KWii2NKIjaql9oaK encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

no dns-guard

no protocol-enforcement

no nat-rewrite

policy-map global_policy

class inspection_default

inspect dns

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:1d43f94f7e4209a9e4867e025cb70f3a

Jouni Forss · ‎10-28-2013

Hi,

Didn't know that the ASA wasnt the Internet edge device in your network.

Then I guess you should monitor the logs for this Web site connection and look for the Built/Teardown messages for this connection and look at the Teardown messages reason for teardown.

Do you have some log messages that you could share?

You could also check the device in the Internet edge and see if there is any problems there.

- Jouni

johnnys01 · ‎10-28-2013

Hi

This is the Teardown for the spesific adress i am trying to connect to....

8:03|302014|203.xx.xxx.xx|80|192.168.200.34|17980|Teardown TCP connection 14844355 for outside:203.xx.xxx.xx/80 to inside:192.168.200.34/17980 duration 0:00:30 bytes 0 SYN Timeout

I am busy checking the edge router to the Internet but see no problems sofar..

Thanx

Jouni Forss · ‎10-28-2013

Hi,

The above log message tells us that the connection attempt has gone through the firewall.

It would seem though that the initial 3 way handshake of the TCP connection doesnt go through (TCP SYN , TCP SYN ACK, TCP ACK) Usually it means that the remote host wont reply. It might be because of NAT configurations or some routing problems.

So would check that there is no routing or NAT related problem in your configurations.

Though if only a single host suffers from this problem on the same LAN then it sounds pretty strange.

- Jouni

johnnys01 · ‎10-28-2013

Hi thanx if you look at the conf of the Internet router can you see any NAT Problems there? as the NAT for the mailserver where i can acces the website from,looks the same the nat for the internet...

When i do i tracert to the website from mailserver the route is the same as the tracrt from any other hosts exept for the break out routers ip that changes..

I can accses the website from only the mailserver no other hosts on my Lan can acces it and its only this spesific website the CEO wants to acces,,dont you just love that... that does not work,, never had any other problems with any sites...

Thanx for your help so far,, im out of ideas..

Jouni Forss · ‎10-28-2013

Hmm,

So I assume that 192.168.200.9 is the Mail Server from which connections are working?

It seems it has been configured with Policy Based Routing and its next hop address is modified for all traffic (and for some other public source network starting with 196.)

access-list 10 permit 192.168.200.9

access-list 20 permit 196.xx.xx.xx

!

route-map MAIL_VPN permit 10

match ip address 10

set ip next-hop 196.xx.xx.xx

!

route-map MAIL_VPN permit 20

match ip address 20

set ip next-hop 196.xx.xx.xx

interface FastEthernet0/0

description "TO FIREWALL"

ip address 172.1.1.10 255.255.255.248

ip nat inside

ip virtual-reassembly

ip policy route-map MAIL_VPN

duplex auto

speed auto

I am not sure why the connection to this Web site wouldnt work from the current ISP that holds the default route BUT I guess you could try configuring a static route on the router for it and pointing it towards the same gateway IP address as is configured in the above Policy Based Routing for the Mail server

ip route 255.255.255.255

- Jouni

johnnys01 · ‎10-28-2013

Hi i tried what you mentioned above still not working it goes throug the gateway of the mailserver but still the same problem..I dont understand cause the mailserver 200.9 also goes throug the firewall so the same thing should be happening but its not...CAn this be purely that the website we are tying to connect to does not like the way the internet edge router is configured?

johnnys01 · ‎10-28-2013

Hi Jouni this is the internet edge device conf..

You will see whe had to do this because we had 2 adsl routers with 2 seperate public IP,s one for internet and one for the mail..

Current configuration : 2761 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname MMHS-WILMED-ROUTER

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$z/gK$ZmZYtqgG0LB.y0D8qgaSL0

!

no aaa new-model

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

!

interface FastEthernet0/0

description "TO FIREWALL"

ip address 172.1.1.10 255.255.255.248

ip nat inside

ip virtual-reassembly

ip policy route-map MAIL_VPN

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

!

interface FastEthernet0/1.1

description "VPN"

encapsulation dot1Q 101

no snmp trap link-status

!

interface FastEthernet0/1.2

description LINK TO INTERNET ADSL

encapsulation dot1Q 201

ip address 196.xx.xx.xx 255.255.255.248

ip nat outside

ip virtual-reassembly

no snmp trap link-status

!

interface FastEthernet0/1.3

description "OLD ADSL-MAIL ADSL"

encapsulation dot1Q 200

ip address 196.xx.xx.xx 255.255.255.248

ip nat outside

ip virtual-reassembly

no snmp trap link-status

!

router rip

version 2

network 10.0.0.0

network 172.1.0.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 196.xx.xx.xx

ip route 0.0.0.0 0.0.0.0 196.xx.xx.xx 90

ip route 196.xx.xx.xx 255.255.255.255 172.1.1.9

!

no ip http server

no ip http secure-server

ip nat pool INTERNET 196.xx.xx.xx 196.xx.xx.xx netmask 255.255.255.248

ip nat pool MAIL_VPN 196.xx.xx.xx 196.xx.xx.xx netmask 255.255.255.248

ip nat inside source list INTERNET pool INTERNET overload

ip nat inside source static 196.xx.xx.xx 196.xx.xx.xx

ip nat inside source static 192.168.200.9 196.xx.xx.xx

!

ip access-list extended INTERNAL

permit ip 192.168.200.0 0.0.0.255 any

permit ip 192.168.201.0 0.0.0.255 any

permit ip 192.168.202.0 0.0.0.255 any

permit ip 192.168.203.0 0.0.0.255 any

permit ip 192.168.204.0 0.0.0.255 any

permit ip 192.168.199.0 0.0.0.255 any

permit ip 192.168.207.0 0.0.0.255 any

ip access-list extended INTERNET

permit ip 192.168.200.0 0.0.0.255 any

permit ip 192.168.201.0 0.0.0.255 any

permit ip 192.168.202.0 0.0.0.255 any

permit ip 192.168.203.0 0.0.0.255 any

permit ip 192.168.204.0 0.0.0.255 any

permit ip 192.168.199.0 0.0.0.255 any

permit ip 192.168.207.0 0.0.0.255 any

!

access-list 10 permit 192.168.200.9

access-list 20 permit 196.xx.xx.xx

!

route-map MAIL_VPN permit 10

match ip address 10

set ip next-hop 196.xx.xx.xx

!

route-map MAIL_VPN permit 20

match ip address 20

set ip next-hop 196.xx.xx.xx

!

control-plane

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

password 7 15015A1F0F7A0B29253B26

login

!

end

Jouni Forss · ‎10-28-2013

Hi,

The first "packet-tracer" output using the interface "inside" is the correct one as we are checking what happens to a packet coming from your LAN network towards the external web server.

As we can see, there is no NAT phase for the source address 192.168.200.11. This means the host goes through the firewall without any NAT applied to it. This means the connection will naturally be dropped by the ISP since its a private IP address.

Chech the NAT configurations for this host. Make sure you have included in your Dynamic PAT rules

- Jouni