ASA Inspection issue - ASA cluster

girchand · ‎05-09-2016

Hello ,

We had a migration from an existing FWSM to ASA cluster.Configurations are exactly replicated with the new commands.

Issue description:-

We have two interfaces-Outside and DMZ.

Application server is in DMZ and a DB server is in outside.Application servers communicates to DB server on port 6516.

Telnet from Application server on port 6516 of DB servers is successfull,but the actual traffic is dropped.

Below is a capture in which resets can be found.

2: 14:09:34.189473 802.1Q vlan#34 P0 10.14.4.50.4121 > 10.20.90.190.6516: . ack 2648727807 win 63885 <nop,nop,sack sack 1 {2648729267:2648730145} >
3: 14:09:34.189534 802.1Q vlan#34 P0 10.14.4.50.4121 > 10.20.90.190.6516: . ack 2648727807 win 63885 <nop,nop,sack sack 1 {2648729267:2648730145} >
4: 14:09:34.189595 802.1Q vlan#34 P0 10.20.90.190.6516 > 10.14.4.50.4121: R 2648727807:2648727807(0) ack 3016827915 win 63885

Troubleshooting done:-

Removed sqlnet inspection from the global service policy - issue persist

Checked the mtu throught out the path.

Any help is a highly appreciated.

Regards

Gireesh

Aditya Ganjoo · ‎05-09-2016

Hi Girish,

By default the sqlnet inspection port is 1521 and in your case it is 6516.

Can you change it to inspect port 6516 and then test ?

Use fixup protocol sqlnet 6516

If it still does not work please share the captures in .pcap format.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

girchand · ‎05-26-2016

hello,

I got resolved after changing the mss settings

Regards

Gireesh

mohanB · ‎04-10-2017

Hi Girchand,

We are having similar issues after we migrate ASA HA to clustering, with SQLNET, what did you change with mtu settings, if you recall.

Thank You,

Mohan

girchand · ‎04-10-2017

Hello Mohan,

What is the sysopt connection tcpmss value configured?

Regards

Gireesh

mohanB · ‎04-11-2017

Its 1380