Cisco ASA 5525, RDP and TCP-Reset-I

SlipKo · ‎07-13-2020

Hello!

We have Cisco ASA 5525 in Failover mode (Active/Passive) (SW 9.2.2.4), 4 RDP Servers based on WinServer 2012R2(Serv_Net sec level 50), PCs connected to ASA (PC_Net, sec level 50) and uplink to Corporate Networks (CORP_NET, sec level 0).

When we connect from PCs which connected to ASA to RDP to servers - all ok. If we connect to servers from Corporate network - then log contain:

%ASA-6-302014: Teardown TCP connection 192428168 for CORP_NET:ip_pc_from_corp_net/52069 to SERV_NET:rdp_server_ip/3389 duration 0:00:21 bytes 0 TCP Reset-I

%ASA-4-313005: No matching connection for ICMP error message: icmp src CORP_NET:dst SERV_NET:rdp_server_ip (type 3

code 13) on CORP_NET interface. Original IP payload: tcp src rdp_server_ip/3389 dst ip_pc_from_corp_net/52069.

Packet-tracer test print that all ok and packets from pc to server allow.

icmp protocol allowed on all interfaces.

On Win server "netstat -o" show syn_receive and connection isn't established.

P.S. I know that icmp type 3 code 13 says that problem on rdp server, but firewall on server is turn off.

Marius Gunnerud · ‎07-13-2020

TCP-Reset-I indicates that the device on SERV_NET is sending a reset notification. Have you checked the logs on the server you are trying to RDP to?

Set up a capture on the SERV_NET interface and see if you are getting any return traffic from the server. Might give an idea of where the issue is.

cap cap_SERV_NET interface SERV_NET match host ip rdp_server_ip host ip_pc_from_corp_net

show cap_SERV_NET

--
Please remember to select a correct answer and rate helpful posts