Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1054
Views
0
Helpful
2
Replies

ASA and Netscaler Xenapp delivery fails with TCPReset-I

Go to solution
steve martin
Level 1
Level 1

‎01-15-2015 03:08 AM - edited ‎03-11-2019 10:20 PM

We have a Netscaler sorely in the DMZ of the ASA.  The Netscaler connects through to the Xenapp server and maintains the connection with responses to the web interface server.  This has been working fine, but it now errors with the following, continuously.  I've packet traced on the asa these work.  Any advice on either solving this issue or elimating the asa from my enquires.  Thanks

 

6Jan 15 201511:02:4830201410.28.24.1084836710.28.9.13680

Teardown TCP connection 126588323 for DMZ:10.28.24.108/48367 to Legacy:10.28.9.136/80 duration 0:00:00 bytes 0 TCP Reset-I

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-15-2015 03:31 AM

Hi,

 

The "Reset-I" refers that the connection was terminated by the host that is behind the ASA interface that has the higher "security-level" value. I presume that in this case its the "Legacy" interface.

 

So it seems that the server behind "Legacy" interface terminates the connection and no data has been transmitted on the connection.

 

So I would start by checking what happens on the server itself.

 

You can naturally take a traffic capture on the ASA and upload that captured data to your computer and go through it with Wireshark. Though I imagine in this case there is not that much traffic.

 

Your capture configuration might look something like this

 

access-list NETSCALER-CAP permit ip host 10.28.24.108 host 10.28.9.136
access-list NETSCALER-CAP permit ip host 10.28.9.136 host 10.28.24.108

 

capture NETSCALER-CAP type raw-data packet-length 1522 access-list NETSCALER-CAP interface Legacy buffer 33500000 circular-buffer

 

Notice with the above configurations that the buffer amount is pretty much almost the max amount for a single capture. If for some reason you had very high memory usage on the ASA then I would suggest using smaller buffer size since the above is 33,5MB.

 

Also notice that if you have NAT configured between these interfaces for this traffic (that we cannot see from the Teardown message alone) then you will have to take into consideration the possible NAT IP addresses when configuring the above ACL that defines the captured traffic.

 

After the capture is configured you can use the following commands to show if anything is hitting the capture and the actual capture contents on the CLI

 

show capture

 

show capture NETSCALER-CAP

 

I would suggest though that you copy the capture to your computer with the command

 

copy /pcap capture:NETSCALER-CAP tftp://<host ip>/NETSCALER-CAP.pcap

 

You can then open the resulting file on your computer with Wireshark and go through it more easily than on the CLI.

 

You can remove the capture and captured data with the command

 

no capture NETSCALER-CAP

 

You will need to remove the ACL created separately.

 

Hope this helps :)

 

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-15-2015 03:31 AM

Hi,

 

The "Reset-I" refers that the connection was terminated by the host that is behind the ASA interface that has the higher "security-level" value. I presume that in this case its the "Legacy" interface.

 

So it seems that the server behind "Legacy" interface terminates the connection and no data has been transmitted on the connection.

 

So I would start by checking what happens on the server itself.

 

You can naturally take a traffic capture on the ASA and upload that captured data to your computer and go through it with Wireshark. Though I imagine in this case there is not that much traffic.

 

Your capture configuration might look something like this

 

access-list NETSCALER-CAP permit ip host 10.28.24.108 host 10.28.9.136
access-list NETSCALER-CAP permit ip host 10.28.9.136 host 10.28.24.108

 

capture NETSCALER-CAP type raw-data packet-length 1522 access-list NETSCALER-CAP interface Legacy buffer 33500000 circular-buffer

 

Notice with the above configurations that the buffer amount is pretty much almost the max amount for a single capture. If for some reason you had very high memory usage on the ASA then I would suggest using smaller buffer size since the above is 33,5MB.

 

Also notice that if you have NAT configured between these interfaces for this traffic (that we cannot see from the Teardown message alone) then you will have to take into consideration the possible NAT IP addresses when configuring the above ACL that defines the captured traffic.

 

After the capture is configured you can use the following commands to show if anything is hitting the capture and the actual capture contents on the CLI

 

show capture

 

show capture NETSCALER-CAP

 

I would suggest though that you copy the capture to your computer with the command

 

copy /pcap capture:NETSCALER-CAP tftp://<host ip>/NETSCALER-CAP.pcap

 

You can then open the resulting file on your computer with Wireshark and go through it more easily than on the CLI.

 

You can remove the capture and captured data with the command

 

no capture NETSCALER-CAP

 

You will need to remove the ACL created separately.

 

Hope this helps :)

 

- Jouni

0 Helpful

Go to solution
steve martin
Level 1
Level 1

‎01-15-2015 07:47 AM

Thanks for the information very useful-  the RST are being caused by the server because the citrix xenapp licenses have expired.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card