Are you using ScanSafe or any

ben.yarwood · ‎07-17-2015

We're having an issue with a server behind an ASA 5505 not being able to access SOME https websites, for example, https://cloudcare.avg.com.

We have moved the server directly to the WAN and can access the website there so we believe this to be an ASA issue.

ASDM Log when we try to open the connection on the server to https://cloudcare.avg.com (IP:204.193.144.91) http://pastebin.com/eZN7X6uh

Packet Tracer results: http://pastebin.com/MS7Q1XEA

Show version: http://pastebin.com/xe6RdhGc

Any advice or suggestions would be greatly appreciated.

Vibhor Amrodia · ‎07-17-2015

Hi,

I think the log shows the issue is on the server end that this is denying the connection from your internal hosts which you can see by all these RESET-O logs:-

6|Jul 17 2015|08:01:25|302014|204.193.144.91|443|10.200.200.2|52233|Teardown TCP connection 74078 for outside:204.193.144.91/443 to inside:10.200.200.2/52233 duration 0:00:00 bytes 266 TCP Reset-O

I think this might be something related to the SSL handshake between the server and the client.

You can apply captures on the ASA device interfaces and check the traces.

Also , as a test , what happens if you access the same servers from the clients which are dynamically natted on the ASA device ?

Also , you would recommend you to change this NAT as (any,any) is not recommended and it should have the name of the interface specifically :-

object network server
nat (any,any) static 999.999.999.999

Thanks and Regards,

Vibhor Amrodia

Marius Gunnerud · ‎07-17-2015

Are you using ScanSafe or any other type of URL filtering?

The TCP Reset-O flag indicates that the ASA is receiving the TCP-reset. I agree with Vibhor that you should take a look at either the server or any URL filters if you are using any.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Cisco ASA 5505 - Cannot access some https websites.