Hi , I'm in trouble with the communications between Azure API Management and a Cisco ASA Firewall .
At the begin of a get request from apim , randomly some tcp package are dropped from the ASA firewall ( as of picture )
I guess the flow is as follows :
- apim send a SYN Packet ( that is dropped because of port number reused , the first)
- apim resend a SYN packet after 3 second a couple of times ( that is dropped because retrasmission )
- after some minutes the communication resume correctly ( as of picture , the second )
if I try the same get http request repeatedly without using apim but a rest client like postman or a python script all work without errors
why apim cause cisco asa to drop package ?
this is an excerpt from the firewall log
Drop-reason: (tcp-rst-syn-in-win) TCP RST/SYN in window
why the beaviour of apim is different from other rest client ?
any suggestions are welcome
thank you
OK , I'll got it
meanwhile I'd like to illustrate some test I've done
The image below is about the tracing of http calls made by a python script (without going through apim and it's working without problem).
I highlighted the start ( SYN ) and end ( FYN ) of TCP sessions (for every HTTP call there is one).
the two images below are about tracing of http call made by apim
In this case there is only one initial connection opening ( SYN ) after which apim reuses ( at least so it seems to me ) the same session to send another http frame .
Now, if for any reason the apim thinks it has lost the tcp session it will try to open another one and at this point I think will happen what you see in the image below
The firewall assumes that an already open session exists and drops the tcp frame.
So , some question ...
the behavior of apim is correct ? is it right that the firewall drop the tcp frames ?
what does mean this error ?
Drop-reason: (tcp-rst-syn-in-win) TCP RST/SYN in window
thanks for any answer
