cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1718
Views
0
Helpful
2
Replies

ASA5510: TCP connection not possible while ICMP & UDP is ok

swscco001
Level 3
Level 3

Hello everybody,

I have a problem with a ASA5510 (8.4(7)30) that cannot realize a TCP connection (SMB)
while ICMP & UDP is possible between the networks.

A machine (10.50.1.52 on IF if1_RSA-Cutting) cannot send data to a file server (10.1.3.6
on IF if1_Hausnetz). Both networks are directly connected to the ASA.

In the loggin I see the following:

6|May 13 2020|14:35:08|106015|10.50.1.52|50371|10.1.3.6|80|Deny TCP (no connection) from 10.50.1.52/50371 to 10.1.3.6/80 flags RST  on interface if1_RSA-Cutting
6|May 13 2020|14:35:08|302014|10.50.1.52|50371|10.1.3.6|80|Teardown TCP connection 227790763 for if1_RSA-Cutting:10.50.1.52/50371 to if1_Hausnetz:10.1.3.6/80 duration 0:00:00 bytes 0 TCP Reset-O
6|May 13 2020|14:35:08|302013|10.50.1.52|50371|10.1.3.6|80|Built inbound TCP connection 227790763 for if1_RSA-Cutting:10.50.1.52/50371 (10.50.1.52/50371) to if1_Hausnetz:10.1.3.6/80 (10.1.3.6/80)
6|May 13 2020|14:35:06|302014|10.50.1.52|922|10.1.3.6|111|Teardown TCP connection 227789955 for if1_RSA-Cutting:10.50.1.52/922 to if1_Hausnetz:10.1.3.6/111 duration 0:00:30 bytes 0 SYN Timeout
6|May 13 2020|14:35:02|106015|10.50.1.52|50371|10.1.3.6|80|Deny TCP (no connection) from 10.50.1.52/50371 to 10.1.3.6/80 flags RST  on interface if1_RSA-Cutting
6|May 13 2020|14:35:02|302014|10.50.1.52|50371|10.1.3.6|80|Teardown TCP connection 227790637 for if1_RSA-Cutting:10.50.1.52/50371 to if1_Hausnetz:10.1.3.6/80 duration 0:00:00 bytes 0 TCP Reset-O
6|May 13 2020|14:35:02|302013|10.50.1.52|50371|10.1.3.6|80|Built inbound TCP connection 227790637 for if1_RSA-Cutting:10.50.1.52/50371 (10.50.1.52/50371) to if1_Hausnetz:10.1.3.6/80 (10.1.3.6/80)
6|May 13 2020|14:35:00|302013|10.50.1.52|50372|172.29.103.1|48010|Built outbound TCP connection 227790556 for if0_WAN:172.29.103.1/48010 (172.29.103.1/48010) to if1_RSA-Cutting:10.50.1.52/50372 (217.5.216.42/50372)
6|May 13 2020|14:35:00|305011|10.50.1.52|50372|217.5.216.42|50372|Built dynamic TCP translation from if1_RSA-Cutting:10.50.1.52/50372 to if0_WAN:217.5.216.42/50372
6|May 13 2020|14:34:59|302014|10.50.1.52|50371|10.1.3.6|80|Teardown TCP connection 227790516 for if1_RSA-Cutting:10.50.1.52/50371 to if1_Hausnetz:10.1.3.6/80 duration 0:00:00 bytes 0 TCP Reset-O
6|May 13 2020|14:34:59|302013|10.50.1.52|50371|10.1.3.6|80|Built inbound TCP connection 227790516 for if1_RSA-Cutting:10.50.1.52/50371 (10.50.1.52/50371) to if1_Hausnetz:10.1.3.6/80 (10.1.3.6/80)
6|May 13 2020|14:34:59|302013|10.50.1.52|925|10.1.3.6|111|Built inbound TCP connection 227790515 for if1_RSA-Cutting:10.50.1.52/925 (10.50.1.52/925) to if1_Hausnetz:10.1.3.6/111 (10.1.3.6/111)

The connection entry looks different as the other entries:

w-cham/act/pri# sh conn prot tcp | in 10.50.1.52
TCP if1_RSA-Cutting 10.50.1.52:992 if1_Hausnetz 10.1.3.6:111, idle 0:00:00, bytes 0, flags SaAB

"S" means that an inside SYN is expected.

At a capture on the ingress (if1_RSA-Cutting) and egress (if1_Hausnetz) shows just initial SYNs
and then only RSTs from the machine. (short captures attached)

In the configuration (attached) I don't see a reason that this TCP connection is not possible but
while ICMP & UDP is possible between the networks.

Has anyone an idea what the reason could be or where I should continue to search.

Every hint is welcome!!!

Thanks a lot!

1 Accepted Solution

Accepted Solutions

Hi RJI,

 

thanks for your fast reply!

The machine and the file server are directly connected to the ASA (no further router). So routing should not play a role(?).

If there were a problem with routing or NAT why ICMP and UDP is possible?

I'd like to hear your opinion.

Thanks a lot!

View solution in original post

2 Replies 2

Hi,
Asymmetric routing or an issue with nat perhaps.

Can you run packet tracer and provide the output, e.g.
packet-tracer input if1_RSA-Cutting tcp 10.50.1.52 992 10.1.3.6.111 80 detail

 

Can you test whilst running a capture and provide the output

 

cap CAP1 type asp-drop all real-time

Hi RJI,

 

thanks for your fast reply!

The machine and the file server are directly connected to the ASA (no further router). So routing should not play a role(?).

If there were a problem with routing or NAT why ICMP and UDP is possible?

I'd like to hear your opinion.

Thanks a lot!

Review Cisco Networking for a $25 gift card