Cisco Community
English
Register
ANNOUNCEMENT - Upcoming Changes in the email address of Community email notifications - LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

791
Views
0
Helpful
0
Replies
Highlighted
StevieOliver_2
Beginner
Beginner
‎01-26-2012 02:00 PM
‎01-26-2012 02:00 PM

ASA and SSL session reset

Hi

I have an ASA between a client and server hosting an https page.

When I rowse from some subnets all is ok.  I get the page delivered.  The beginning of this capture is below.  The session continues successfully.

1: 13:47:24.578049 10.200.205.42.57648 > 10.192.0.20.443: S 812340862:812340862(0) win 8192 <mss 1260,nop,wscale 2,nop,nop,sackOK>

   2: 13:47:24.579651 10.192.0.20.443 > 10.200.205.42.57648: S 2345509625:2345509625(0) ack 812340863 win 8192 <mss 1380,nop,wscale 8>

   3: 13:47:24.581207 10.200.205.42.57648 > 10.192.0.20.443: . ack 2345509626 win 4410

   4: 13:47:24.584503 10.200.205.42.57648 > 10.192.0.20.443: P 812340863:812341069(206) ack 2345509626 win 4410

   5: 13:47:24.587555 10.192.0.20.443 > 10.200.205.42.57648: P 2345509626:2345509712(86) ack 812341069 win 260

   6: 13:47:24.587555 10.192.0.20.443 > 10.200.205.42.57648: P 2345509712:2345509718(6) ack 812341069 win 260

   7: 13:47:24.587722 10.192.0.20.443 > 10.200.205.42.57648: P 2345509718:2345509771(53) ack 812341069 win 260

However some other clients get a reset when browsing.  That capture is below

1: 21:27:31.347684 10.64.144.10.3608 > 10.192.0.20.443: S 1469452352:1469452352(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK>
   2: 21:27:31.356930 10.192.0.20.443 > 10.64.144.10.3608: S 3634167830:3634167830(0) ack 1469452353 win 8192 <mss 1380,nop,wscale 8>
   3: 21:27:31.357372 10.64.144.10.3608 > 10.192.0.20.443: . ack 3634167831 win 64000
   4: 21:27:31.357449 10.64.144.10.3608 > 10.192.0.20.443: P 1469452353:1469452527(174) ack 3634167831 win 64000
   5: 21:27:34.309905 10.64.144.10.3608 > 10.192.0.20.443: P 1469452353:1469452527(174) ack 3634167831 win 64000
   6: 21:27:34.309996 10.192.0.20.443 > 10.64.144.10.3608: R 3634167831:3634167831(0) ack 1469452527 win 64000

Probably not ASA related but has anyone seen anything like this ?  The sent window size is very different in each case but don't know if it's related to the issue.

There is a SSM module in the ASA but I have turned off inspection for troubleshooting purposes.

Any input appreciated.

Thanks, Stephen.

Labels:
Everyone's tags (4)
0 Helpful
Reply
Latest Contents
AnyConnect 4.9 requires more stringent cryptography settings...
Created by Peter Davis on 07-08-2020 12:18 PM
0
10
0
10
Please note that the minimum cryptography settings in AnyConnect 4.9 have been increased. Please ensure that your head-end is properly configured for the more stringent cryptography settings (if applicable) or users will be unable to connect after updatin... view more
Companion Guide for TETRA Update Server Deployment
Created by dkrull on 07-08-2020 07:25 AM
0
0
0
0
  Overview In this guide will we be taking a look at how to configure the web.config file using the URL Rewrite tool when deploying the TETRA update server. This guide is meant as a companion to the existing guides and to help fill in some in... view more
AMP for Endpoints Bandwidth Consumption and Considerations
Created by dkrull on 07-07-2020 09:49 PM
0
0
0
0
    Note: This guide is provided as a best effort to better help users understand the potential impact running multiple clients with TETRA, SPERO, ETHOS, DFC and SHA256 Lookups enabled and their bandwidth usage. The sizes in these guides are s... view more
Why am I suddenly being prompted to create a new organizatio...
Created by diddly on 07-07-2020 01:23 PM
0
0
0
0
Question When I log into my application, I'm suddenly asked to create a new organization. Did something change or migrate? I already had an organization. Short Answer You may be starting from security.cisco.com and mistakenly clicking "SecureX sign-on... view more
I setup SecureX sign-on, why do I have to sign into AMP agai...
Created by diddly on 07-07-2020 10:28 AM
0
0
0
0
Question I followed these instructions and setup all my accounts to use SecureX sign-on, including my AMP account (my Cisco Security Account - CSA). When I use SecureX, and I click on the AMP "launch" button, I have to login again. Why?  --->&nbs... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad