Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1562
Views
0
Helpful
2
Replies

ASA5510: TCP connection not possible while ICMP & UDP is ok

Go to solution
swscco001
Level 1
Level 1

‎05-13-2020 11:18 AM

Hello everybody,

I have a problem with a ASA5510 (8.4(7)30) that cannot realize a TCP connection (SMB)
while ICMP & UDP is possible between the networks.

A machine (10.50.1.52 on IF if1_RSA-Cutting) cannot send data to a file server (10.1.3.6
on IF if1_Hausnetz). Both networks are directly connected to the ASA.

In the loggin I see the following:

6|May 13 2020|14:35:08|106015|10.50.1.52|50371|10.1.3.6|80|Deny TCP (no connection) from 10.50.1.52/50371 to 10.1.3.6/80 flags RST  on interface if1_RSA-Cutting
6|May 13 2020|14:35:08|302014|10.50.1.52|50371|10.1.3.6|80|Teardown TCP connection 227790763 for if1_RSA-Cutting:10.50.1.52/50371 to if1_Hausnetz:10.1.3.6/80 duration 0:00:00 bytes 0 TCP Reset-O
6|May 13 2020|14:35:08|302013|10.50.1.52|50371|10.1.3.6|80|Built inbound TCP connection 227790763 for if1_RSA-Cutting:10.50.1.52/50371 (10.50.1.52/50371) to if1_Hausnetz:10.1.3.6/80 (10.1.3.6/80)
6|May 13 2020|14:35:06|302014|10.50.1.52|922|10.1.3.6|111|Teardown TCP connection 227789955 for if1_RSA-Cutting:10.50.1.52/922 to if1_Hausnetz:10.1.3.6/111 duration 0:00:30 bytes 0 SYN Timeout
6|May 13 2020|14:35:02|106015|10.50.1.52|50371|10.1.3.6|80|Deny TCP (no connection) from 10.50.1.52/50371 to 10.1.3.6/80 flags RST  on interface if1_RSA-Cutting
6|May 13 2020|14:35:02|302014|10.50.1.52|50371|10.1.3.6|80|Teardown TCP connection 227790637 for if1_RSA-Cutting:10.50.1.52/50371 to if1_Hausnetz:10.1.3.6/80 duration 0:00:00 bytes 0 TCP Reset-O
6|May 13 2020|14:35:02|302013|10.50.1.52|50371|10.1.3.6|80|Built inbound TCP connection 227790637 for if1_RSA-Cutting:10.50.1.52/50371 (10.50.1.52/50371) to if1_Hausnetz:10.1.3.6/80 (10.1.3.6/80)
6|May 13 2020|14:35:00|302013|10.50.1.52|50372|172.29.103.1|48010|Built outbound TCP connection 227790556 for if0_WAN:172.29.103.1/48010 (172.29.103.1/48010) to if1_RSA-Cutting:10.50.1.52/50372 (217.5.216.42/50372)
6|May 13 2020|14:35:00|305011|10.50.1.52|50372|217.5.216.42|50372|Built dynamic TCP translation from if1_RSA-Cutting:10.50.1.52/50372 to if0_WAN:217.5.216.42/50372
6|May 13 2020|14:34:59|302014|10.50.1.52|50371|10.1.3.6|80|Teardown TCP connection 227790516 for if1_RSA-Cutting:10.50.1.52/50371 to if1_Hausnetz:10.1.3.6/80 duration 0:00:00 bytes 0 TCP Reset-O
6|May 13 2020|14:34:59|302013|10.50.1.52|50371|10.1.3.6|80|Built inbound TCP connection 227790516 for if1_RSA-Cutting:10.50.1.52/50371 (10.50.1.52/50371) to if1_Hausnetz:10.1.3.6/80 (10.1.3.6/80)
6|May 13 2020|14:34:59|302013|10.50.1.52|925|10.1.3.6|111|Built inbound TCP connection 227790515 for if1_RSA-Cutting:10.50.1.52/925 (10.50.1.52/925) to if1_Hausnetz:10.1.3.6/111 (10.1.3.6/111)

The connection entry looks different as the other entries:

w-cham/act/pri# sh conn prot tcp | in 10.50.1.52
TCP if1_RSA-Cutting 10.50.1.52:992 if1_Hausnetz 10.1.3.6:111, idle 0:00:00, bytes 0, flags SaAB

"S" means that an inside SYN is expected.

At a capture on the ingress (if1_RSA-Cutting) and egress (if1_Hausnetz) shows just initial SYNs
and then only RSTs from the machine. (short captures attached)

In the configuration (attached) I don't see a reason that this TCP connection is not possible but
while ICMP & UDP is possible between the networks.

Has anyone an idea what the reason could be or where I should continue to search.

Every hint is welcome!!!

Thanks a lot!

Preview file
106 KB
Preview file
162 KB
Preview file
193 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
swscco001
Level 1
Level 1
In response to Rob Ingram

‎05-13-2020 11:26 PM

Hi RJI,

 

thanks for your fast reply!

The machine and the file server are directly connected to the ASA (no further router). So routing should not play a role(?).

If there were a problem with routing or NAT why ICMP and UDP is possible?

I'd like to hear your opinion.

Thanks a lot!

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎05-13-2020 01:14 PM - edited ‎05-13-2020 01:17 PM

Hi,
Asymmetric routing or an issue with nat perhaps.

Can you run packet tracer and provide the output, e.g.
packet-tracer input if1_RSA-Cutting tcp 10.50.1.52 992 10.1.3.6.111 80 detail

 

Can you test whilst running a capture and provide the output

 

cap CAP1 type asp-drop all real-time

0 Helpful

Go to solution
swscco001
Level 1
Level 1
In response to Rob Ingram

‎05-13-2020 11:26 PM

Hi RJI,

 

thanks for your fast reply!

The machine and the file server are directly connected to the ASA (no further router). So routing should not play a role(?).

If there were a problem with routing or NAT why ICMP and UDP is possible?

I'd like to hear your opinion.

Thanks a lot!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card