01-28-2012 08:23 AM - edited 03-11-2019 03:20 PM
I'm sure this is a simple configuration issue but here is my issue:
We are running an HTTPS service on a host that is connected to our DMZ network on our ASA. This host and ASA can communicate just fine. I've created an ACL rule that allows HTTPS traffic from the outside world to the hosts DMZ IP address. I've also created a static NAT for the hosts DMZ IP address to the hosts public IP address. A request from the outside world creates a connection and can be seens via Wireshark on the host. However, a full handshake does not complete.
I see the following on the ASA:
show conn reports
TCP Internet 173.3.X.X:46061 DMZ 10.18.X.X:443, idle 0:00:00, bytes 0, flags SaAB
During this connection in Wireshark on the host I see the HTTPS request coming from the 173.3.X.X address which is followed by the host performing an ARP request asking who owns 173.3.X.X. This is where the communications chain stops. The 173.3.X.X host continues to try to access the site and I see the requests in Wireshark. I see the DMZ host continually request ARP for who owns 173.3.X.X but it never receives a reply.
Other hosts on this DMZ are working with other services (i.e. SMTP) but this one is not.
My ACL is:
access-list Internet_IN extended permit tcp any host 10.18.X.X eq https
My NAT is:
object network PublicServer_NAT4 (which equals 10.18.X.X)
nat (DMZ, Internet) static 24.38.X.X (which is the public IP of this service)
I've also restarted the ASA as I have seen strange issues like this fixed by a reboot in my past.
I'm running ASA v8.3.1.
Any help would be greatly appreciated.
Mike
Solved! Go to Solution.
01-28-2012 08:43 AM
Looks like server is not responding SYN-ACK.you should troubleshoot on app level.
01-28-2012 08:43 AM
Looks like server is not responding SYN-ACK.you should troubleshoot on app level.
01-28-2012 09:01 AM
Ajay - thank you for your response.
I did solve my problem. It hit me after I posted my discussion (sometimes just saying it outloud helps). Anyway...
It hit me that the NIC shouldn't have been making an ARP request for an IP not on it network. If anything it should have been asking ARP for the MAc of the default gateway.
There was nothing in the configuration of the host that indicated a problem so I simply rebooted the host and everything is working.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide