Solved: Deny TCP (no connection) RST then SYN ACK

tryingtofixit · ‎07-19-2024

ASA 5525x with 9.x code

working with an IPsec tunnel a Fortinet is on the other side of the ipsec tunnel.

My server on 10.220.2.16 enters the asa INSIDE interface bound down the ipsec tunnel to 10.12.32.4

In the asa logs my 10.220.2.16 >10.12.32.4 getting FLAG RST on interface INSIDE followed by a SYN ACK.

We don't have any asymmetrical routing no dup routes pushing traffic in core switch to different endpoints. our crypto-maps have the correct interesting traffic defined along with the proper NATS.

We use static routes on the core to force our tunnel traffic to the ASA. No dup routes or more specific routes pointing subnet elsewhere.

The packet tracer gives 100% flow from start to finish.

Suggestions?

tryingtofixit · ‎07-24-2024

solution was needed static routes on the asa pointing to the 2nd ISP interface that ran this tunnel. traffic was getting routed out of 1st isp since it was preferred route on the asa.

View solution in original post

MHM Cisco World · ‎07-19-2024

""logging permit-hostdown""

this I think because you use tcp syslog server
when the syslog not reachable the asa reject add new tcp conn

add command above and check

MHM

tryingtofixit · ‎07-19-2024

thanks! we have a troubleshooting window on monday.

tryingtofixit · ‎07-19-2024

just had a chance to check, we the logging permit-hostdown in our asa.

MHM Cisco World · ‎07-20-2024

do you use Syslog with TCP or UDP ?

MHM

ccieexpert · ‎07-19-2024

Run packet capture with "trace detail" option:

https://community.cisco.com/t5/security-knowledge-base/asa-using-packet-capture-to-troubleshoot-asa-firewall/ta-p/3129889

this will give you more detail on what is going..

is it happening each time ? does pings work ?

Sheraz.Salim · ‎07-20-2024

I have seen this issue in the past vpn-tunnel with AWS. In our case remote server and local server had some connectivity issue. The workaround work for us we have to implement TCP state bypass. Try enabling TCP state bypass for the specific traffic. This can help if the issue is related to TCP state tracking

access-list bypass_tcp_state extended permit ip host 10.220.2.16 host 10.12.32.4
class-map bypass_tcp_class
 match access-list bypass_tcp_state
policy-map bypass_tcp_policy
 class bypass_tcp_class
  set connection advanced-options tcp-state-bypass
service-policy bypass_tcp_policy global

Also ensure that the Fortinet device configuration matches the ASA configuration in terms of IPsec settings, NAT exemptions, and access lists. Mismatched configurations can cause issues.

please do not forget to rate.

tryingtofixit · ‎07-24-2024

solution was needed static routes on the asa pointing to the 2nd ISP interface that ran this tunnel. traffic was getting routed out of 1st isp since it was preferred route on the asa.

MHM Cisco World · ‎07-24-2024

Thanks alot for update us

Have a nice summer

MHM

Sheraz.Salim · ‎07-24-2024

wow good catch. was not excepted to be that issue. thanks for the update.

please do not forget to rate.

ccieexpert · ‎07-24-2024

good catch.. usually the capture with trace detail should show you the path and give you some idea of why it is dropping a packet..