cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2620
Views
15
Helpful
11
Replies

ASA5505 teardown RDP connection inside-dmz

Guys hi! In previous post I had successfully create "outside-dmz-inside" network. It works, but not good. When I try connect from PC (10.17.20.3) in inside-subnet to GW-PC (10.17.19.1) in dmz-subnet RDP connects but in 5-25 sec my connection teardown and RDP window close.  After 1-3 attempts RDP connection restore and PING log shows time =1 ms. Please help me find the reason of this error.

 

ASA logging:

%ASA-6-302014: Teardown TCP connection 737 for dmz:10.17.19.1/3389 to inside:10.17.20.3/54432 duration 0:00:09 bytes 27409 TCP Reset-I
%ASA-6-302013: Built outbound TCP connection 751 for dmz:10.17.19.1/3389 (10.17.19.1/3389) to inside:10.17.20.3/54447 (10.17.20.3/54447)
%ASA-6-302020: Built outbound ICMP connection for faddr 10.17.19.1/0 gaddr 10.17.20.3/1 laddr 10.17.20.3/1
%ASA-6-302014: Teardown TCP connection 729 for dmz:10.17.19.1/3389 to inside:10.17.20.3/54427 duration 0:00:30 bytes 0 SYN Timeout
%ASA-6-302021: Teardown ICMP connection for faddr 10.17.19.1/0 gaddr 10.17.20.3/1 laddr 10.17.20.3/1
%ASA-6-302020: Built outbound ICMP connection for faddr 10.17.19.1/0 gaddr 10.17.20.3/1 laddr 10.17.20.3/1%ASA-6-302021: Teardown ICMP connection for faddr 10.17.19.1/0 gaddr 10.17.20.3/1 laddr 10.17.20.3/1
%ASA-6-302020: Built outbound ICMP connection for faddr 10.17.19.1/0 gaddr 10.17.20.3/1 laddr 10.17.20.3/1
%ASA-6-302021: Teardown ICMP connection for faddr 10.17.19.1/0 gaddr 10.17.20.3/1 laddr 10.17.20.3/1

 

Actual ASA config:

 

interface Ethernet0/0
description WANPORT
!
interface Ethernet0/1
description DMZPORT
switchport access vlan 2
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
description INSIDEPORT03
switchport access vlan 3
!
interface Ethernet0/4
description INSIDEPORT04
switchport access vlan 3
!
interface Ethernet0/5
description INSIDEPORT05
switchport access vlan 3
!
interface Ethernet0/6
description INSIDEPORT06
switchport access vlan 3
!
interface Ethernet0/7
description INSIDEPORT07
switchport access vlan 3
!
interface Vlan1
nameif outside
security-level 0
ip address 10.10.10.84 255.255.255.0
!
interface Vlan2
nameif dmz
security-level 50
ip address 10.17.19.254 255.255.255.0
!
interface Vlan3
nameif inside
security-level 100
ip address 10.17.20.254 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
domain-name blablabla.com
object network GW-PC
host 10.17.19.1
object network inside-subnet
subnet 10.17.20.0 255.255.255.0
object network dmz-subnet
subnet 10.17.19.0 255.255.255.0
access-list dmz_acl extended permit ip any any
access-list dmz_acl extended permit tcp any any
access-list dmz_acl extended permit udp any any
access-list dmz_acl extended permit icmp any any
access-list rdp_acl extended permit tcp any object GW-PC
pager lines 24
logging enable
logging buffered informational
mtu outside 1500
mtu dmz 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network GW-PC
nat (dmz,outside) static interface service tcp https https
object network dmz-subnet
nat (dmz,outside) dynamic interface
access-group rdp_acl in interface outside
access-group dmz_acl in interface dmz

1 Accepted Solution

Accepted Solutions

Your IP configuration is causing the issue. Your PC 10.17.20.3 with 255.255.0.0 (/16) subnet mask will always try to reach to GW-PC 10.17.19.1 with subnet mask 255.255.0.0 (/16) locally. As PC 10.17.20.3 always think that it is connected to same broadcast domain and it will not send packet to Gateway for it.

I would say change subnet of both the PC and GW-PC to 255.255.255.0 (/24). Along with this all the other system should also need to reconfigured with the /24 subnet mask. If you don't want to change subnet than you have to use other IP address range rather than 10.17.x.x.
ASA interfaces should also configured with the 255.255.255.0(/24) subnet.



HTH
### RATE ALL HELPFUL RESPONSES ###

View solution in original post

11 Replies 11

Could you please provide a full running configuration of your ASA (remember to remove any public IPs, usernames and passwords) as you are missing the time out configurations as well as routing and possible some other configuration that might give insight into the issue.

 

From the log output you provided it looks like the PC on the inside interface is sending a reset.  Could be that the PC is wainting on a response from the server but never gets it.

%ASA-6-302014: Teardown TCP connection 737 for dmz:10.17.19.1/3389 to inside:10.17.20.3/54432 duration 0:00:09 bytes 27409 TCP Reset-I

 

Set up a capture on the ASA (in ASDM go to Wizards > Packet Capture Wizard) and then view that capture in wireshark and look for drops/resets.  You might also want to have wireshark running on the server and PC at the same time so you can correlate the captures on the ASA to the endpoints.

--
Please remember to select a correct answer and rate helpful posts

ASA Version 8.4(2)
!
hostname Lucky
domain-name dfsdfsdfsdfsdfd
names
!
interface Ethernet0/0
description WANPORT
!
interface Ethernet0/1
description DMZPORT
switchport access vlan 2
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
description INSIDEPORT03
switchport access vlan 3
!
interface Ethernet0/4
description INSIDEPORT04
switchport access vlan 3
!
interface Ethernet0/5
description INSIDEPORT05
switchport access vlan 3
!
interface Ethernet0/6
description INSIDEPORT06
switchport access vlan 3
!
interface Ethernet0/7
description INSIDEPORT07
switchport access vlan 3
!
interface Vlan1
nameif outside
security-level 0
ip address 10.10.10.84 255.255.255.0
!
interface Vlan2
nameif dmz
security-level 50
ip address 10.17.19.254 255.255.255.0
!
interface Vlan3
nameif inside
security-level 100
ip address 10.17.20.254 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
domain-name blablabla.com
object network GW-PC
host 10.17.19.1
object network inside-subnet
subnet 10.17.20.0 255.255.255.0
object network dmz-subnet
subnet 10.17.19.0 255.255.255.0
access-list dmz_acl extended permit ip any any
access-list dmz_acl extended permit tcp any any
access-list dmz_acl extended permit udp any any
access-list dmz_acl extended permit icmp any any
access-list rdp_acl extended permit tcp any object GW-PC
pager lines 24
logging enable
logging buffered informational
mtu outside 1500
mtu dmz 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network GW-PC
nat (dmz,outside) static interface service tcp https https
object network dmz-subnet
nat (dmz,outside) dynamic interface
access-group rdp_acl in interface outside
access-group dmz_acl in interface dmz
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect http
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email callhome@cisco.com
destination address http https://tools.cisco.com/its/service/oddce/services/DD
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end

 

NETWORK STRUCTURE is in attachment

I don't think that there is PC or GW-PC problem. When I connect PC and GW-PC through simple network switch RDP works without any problem. When I connect PC and GW-PC through the ASA I get teardown error. Also when teardown  error occurs I get ping timeout between PC and GW-PC

What license do you have installed on the ASA5505?

--
Please remember to select a correct answer and rate helpful posts

Sorry, how to check ASA license?

show version

License info should be towards the bottom of the output.
--
Please remember to select a correct answer and rate helpful posts

Marius, show version log is here:

Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)
Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "disk0:/asa842-k8.bin"
Config file at boot was "startup-config"
Lucky up 4 hours 59 mins
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1

0: Int: Internal-Data0/0 : address is e865.49db.09ff, irq 11
1: Ext: Ethernet0/0 : address is e865.49db.09f7, irq 255
2: Ext: Ethernet0/1 : address is e865.49db.09f8, irq 255
3: Ext: Ethernet0/2 : address is e865.49db.09f9, irq 255
4: Ext: Ethernet0/3 : address is e865.49db.09fa, irq 255
5: Ext: Ethernet0/4 : address is e865.49db.09fb, irq 255
6: Ext: Ethernet0/5 : address is e865.49db.09fc, irq 255
7: Ext: Ethernet0/6 : address is e865.49db.09fd, irq 255
8: Ext: Ethernet0/7 : address is e865.49db.09fe, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255

Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Serial Number: ************
Running Permanent Activation Key: ************************
Configuration register is 0x1
Configuration last modified by enable_15 at 06:28:00.559 UTC Sun Sep 29 2019

Need some more information about your network. 

RDP PC details required:

IP Address:         10.17.20.3

Subnet Mask:

Gateway:

 

GW-PC details required:

IP Address:         10.17.19.1

Subnet Mask:

Gateway:

 

 

Moreover, as you mentioned that ping between the two also suffers.

Can you run continues between them and check that what is the status? 

While running ping between the two, can you check Gateway ping by running continues ping?

What are the devices in between PC and GW-PC for example PC >> SWITCH >> ASA >> SWITCH >> GW-PC?

Please check intermediate devices as well. 

 

 

HTH

### RATE ALL HELPFUL RESPONSES ###

 

PC  - inside-subnet

ip    10.17.20.3

sub 255.255.0.0

gw  10.17.20.254

 

GW-PC  - inside-subnet

ip    10.17.19.1

sub 255.255.0.0

gw  10.17.19.254

 

network map PC >> ASA >> GW-PC. Without any switch.

It is very strange.

 

Ping 10.17.19.1 -> 10.17.19.254 always OK.

Ping 10.17.19.1 -> 10.17.20.3 timeout when RDP connection drops.

Ping 10.17.20.3 -> 10.17.20.254 always OK.

 

 

Your IP configuration is causing the issue. Your PC 10.17.20.3 with 255.255.0.0 (/16) subnet mask will always try to reach to GW-PC 10.17.19.1 with subnet mask 255.255.0.0 (/16) locally. As PC 10.17.20.3 always think that it is connected to same broadcast domain and it will not send packet to Gateway for it.

I would say change subnet of both the PC and GW-PC to 255.255.255.0 (/24). Along with this all the other system should also need to reconfigured with the /24 subnet mask. If you don't want to change subnet than you have to use other IP address range rather than 10.17.x.x.
ASA interfaces should also configured with the 255.255.255.0(/24) subnet.



HTH
### RATE ALL HELPFUL RESPONSES ###

Thank you!!! You was right!!!
I changed subned 255.255.255.0 and now all works witout problem.
Review Cisco Networking for a $25 gift card