10-29-2012 11:34 AM - edited 03-11-2019 05:15 PM
Hi Everyone,
If i see fw logs and it has SYN timeout does it always give us indication that issue is at remote end?
i was trying to open vendor site and fw log shows SYN timeout.
Does SYN timeout indicate if issue is Local site
Thanks
Mahesh
Solved! Go to Solution.
10-29-2012 11:41 AM
Hello Mahesh,
That log leads us to think the other host is not replying back to us or the SYN-ACK is getting lost on the internet,
You could run some captures on the ASA so to make sure you are not receiveing the SYN-ACK,
Regards,
Julio
10-29-2012 12:03 PM
Hi,
Most of the cases (that I've run into) this has been an indication of problem at the remote end. (Well regarding the local firewall it can only be about some remote device since it doesnt see the SYN ACK)
Problems can be:
And as Julio said, packet capture is the best way to determine what is happening. You can do this either on ASA or straight on your own computer with Wireshark for example.
- Jouni
10-29-2012 12:11 PM
The actual SYN ACK wont show in any firewall logs. Only in packet captures.
When the ASA firewall sees a SYN coming from the host initiating the connection it will show the log message starting with "Built outbound TCP connection......" (Provided the connection has been allowed by the firewall)
To see if the connection got a SYN ACK from the remote host you will need to check the connections state with "show conn" command for example.
You should see something like this
TCP WAN 173.x.x.x:443 LAN 10.0.0.10:49517, idle 0:00:15, bytes 45295, flags UIO
The flags at the end will tell you in the above case that the connection is U = UP, I = has inbound data, O = has outbound data.
To get more info about the different "flags" use the command "show conn detail". At the very start it will list all the "flags"
Also as you have seen the message "Teardown TCP connection...:." ending with SYN Timeout reason will tell you that the SYN ACK hasnt been received. The same can also be determined with "show conn" command. With a remote host not responding the flags will naturally be different from the above working situation.
- Jouni
10-29-2012 12:15 PM
Hello Mahesh,
You should create captures to confirm if you are receiving the SYN-ack
capture capin interface inside match tcp host inside_local_ host _ip host outside_host_ip eq tcp_destination_port
capture capout interface outside match tcp host inside_global_host_ip host outside_host_ip eq tcp_destination_port
Regards,
Julio
10-29-2012 12:18 PM
On the other hand,
If looking from local problems, the only one I can think of right now (related to the ASA firewall) is that there is some problem with NAT. For example the connection is getting NATed to wrong NAT IP address which isnt either allowed at the remote end or the NAT IP isnt routable in the network where the connection is destined (For example L2L VPNs)
- Jouni
10-29-2012 11:41 AM
Hello Mahesh,
That log leads us to think the other host is not replying back to us or the SYN-ACK is getting lost on the internet,
You could run some captures on the ASA so to make sure you are not receiveing the SYN-ACK,
Regards,
Julio
10-29-2012 12:00 PM
Hi Julio,
If other host is working ok then we should see syn ack in logs to confirm our connection is established with remote host right?
Thanks
Mahesh
10-29-2012 12:11 PM
The actual SYN ACK wont show in any firewall logs. Only in packet captures.
When the ASA firewall sees a SYN coming from the host initiating the connection it will show the log message starting with "Built outbound TCP connection......" (Provided the connection has been allowed by the firewall)
To see if the connection got a SYN ACK from the remote host you will need to check the connections state with "show conn" command for example.
You should see something like this
TCP WAN 173.x.x.x:443 LAN 10.0.0.10:49517, idle 0:00:15, bytes 45295, flags UIO
The flags at the end will tell you in the above case that the connection is U = UP, I = has inbound data, O = has outbound data.
To get more info about the different "flags" use the command "show conn detail". At the very start it will list all the "flags"
Also as you have seen the message "Teardown TCP connection...:." ending with SYN Timeout reason will tell you that the SYN ACK hasnt been received. The same can also be determined with "show conn" command. With a remote host not responding the flags will naturally be different from the above working situation.
- Jouni
10-29-2012 12:15 PM
Hello Mahesh,
You should create captures to confirm if you are receiving the SYN-ack
capture capin interface inside match tcp host inside_local_ host _ip host outside_host_ip eq tcp_destination_port
capture capout interface outside match tcp host inside_global_host_ip host outside_host_ip eq tcp_destination_port
Regards,
Julio
10-29-2012 12:03 PM
Hi,
Most of the cases (that I've run into) this has been an indication of problem at the remote end. (Well regarding the local firewall it can only be about some remote device since it doesnt see the SYN ACK)
Problems can be:
And as Julio said, packet capture is the best way to determine what is happening. You can do this either on ASA or straight on your own computer with Wireshark for example.
- Jouni
10-29-2012 12:18 PM
On the other hand,
If looking from local problems, the only one I can think of right now (related to the ASA firewall) is that there is some problem with NAT. For example the connection is getting NATed to wrong NAT IP address which isnt either allowed at the remote end or the NAT IP isnt routable in the network where the connection is destined (For example L2L VPNs)
- Jouni
10-29-2012 12:33 PM
Hi Joulio & Jouni,
You did very good explanation on SYN Timeout.
I confirmed with vendor that issue is at there side.
Best regards
Mahesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide