ASA 5555-x 9.4 could not access uRL

soloaye · ‎07-07-2015

Greetings

I have ASA 5555-x ver 9.4. I have the basic setup - interface, NAT etc ...

I have problem to access one URL https://www.creditexpert.co.uk. All other URLs are accessible. This URL is accessible without the firewall but with the ASA I have problem. There is no access list blocking it. From the ASDM "packet tracert" it says it is reachable.

I did packet capture on ASDM and could not see "ACK" coming but on the router outside ASA I can see the return packet. please assist

ASA# sh conn detail address 66.161.61.174
24010 in use, 34705 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
       B - initial SYN from outside, b - TCP state-bypass or nailed,
       C - CTIQBE media, c - cluster centralized,
       D - DNS, d - dump, E - outside back connection, e - semi-distributed,
       F - outside FIN, f - inside FIN,
       G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
       i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
       k - Skinny media, M - SMTP data, m - SIP media, n - GUP
       O - outbound data, P - inside back connection,
       q - SQL*Net data, R - outside acknowledged FIN,
       R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
       s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
       V - VPN orphan, W - WAAS,
       w - secondary domain backup,
       X - inspected by service module,
       x - per session, Y - director stub flow, y - backup stub flow,
       Z - Scansafe redirection, z - forwarding stub flow

TCP outside-ISP-2: 66.161.61.174/443 inside: xx.xx.xx.xx/37420,
flags sxaA , idle 2s, uptime 5s, timeout 30s, bytes 0

TCP outside-ISP-2: 66.161.61.174/443 inside: xx.xx.xx.xx/37419,
flags sxaA , idle 2s, uptime 5s, timeout 30s, bytes 0

Akshay Rastogi · ‎07-07-2015

Hi,

- please enable asp captures on ASA and see the output:

#capture asp type asp-drop all

- run the traffic and see 'show cap asp | in <resolved-ip of this url>' or 'show cap asp det | in <resolved-ip of this url>' and see there is any drop shown on ASA. This would show the reason for the drop.

- Please look for syslogs for the drop at the time of the issue. Or check if you have enabled buffer logs and you could see any log.

Regards,

Akshay Rastogi

soloaye · ‎07-08-2015

thanks for the reply

I have tried it but I do not see anything show cap asp det | in <resolved-ip of this url>. I few see other IPs but not resolved-ip of this url - 66.161.61.174

on the router outside the ASA I have configured an access list and (permit <resolved-ip of this url>) and can see the match - packet cumming to ASA.

please assist

thanks

Solomon

Akshay Rastogi · ‎07-08-2015

Hi Solomon,

- I am expecting that Initiator is in Inside therefore you are not receiving SYN-ACK.

- Do you see any corresponding syslogs if you are not seeing it in 'asp captures'.

- When you say packet is seen on router; is it the next-hop router on the Outside interface of ASA?

- Also could you try with creating one access-list entry for source as the resolve IP and place it on Outside interface in inward direction and see if the hit count increases.

Regards,

Akshay Rastogi

prateek.verma · ‎07-08-2015

Hi,

As ASA is not receiving the ACK back so this connection is somewhere getting blocked after ASA, could you let me know what all devices are there after ASA? Also, try to do telnet on websites ip address on port 443 from your PC and check whether it is allowed or not.

Regards,

Prateek Verma