cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
41315
Views
25
Helpful
7
Replies

Does SYN timeout always tell if issue is at Remote end

mahesh18
Level 6
Level 6

       Hi Everyone,

If i see fw logs and it has SYN timeout does it always give us indication that issue is at remote end?

i was trying to open vendor site and fw log shows SYN timeout.

Does SYN timeout indicate if issue is Local site

Thanks

Mahesh

5 Accepted Solutions

Accepted Solutions

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Mahesh,

That log leads  us to think the other host is not replying back to us or the SYN-ACK  is getting lost on the internet,

You could run some captures on the ASA so to make sure you are not receiveing the SYN-ACK,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Most of the cases (that I've run into) this has been an indication of problem at the remote end. (Well regarding the local firewall it can only be about some remote device since it doesnt see the SYN ACK)

Problems can be:

  • Connection is blocked by a remote firewall or firewall somewhere in between
  • Connection is blocked by the remote hosts own firewall (software)
  • Connections SYN arrives to the remote host but a routing problem exists which forward the SYN ACK in a wrong way.
  • Theres an outage in the remote end service you are trying to reach
  • Some other equipment is filtering the traffic in between

And as Julio said, packet capture is the best way to determine what is happening. You can do this either on ASA or straight on your own computer with Wireshark for example.

- Jouni

View solution in original post

The actual SYN ACK wont show in any firewall logs. Only in packet captures.

When the ASA firewall sees a SYN coming from the host initiating the connection it will show the log message starting with "Built outbound TCP connection......" (Provided the connection has been allowed by the firewall)

To see if the connection got a SYN ACK from the remote host you will need to check the connections state with "show conn" command for example.

You should see something like this

TCP WAN 173.x.x.x:443 LAN 10.0.0.10:49517, idle 0:00:15, bytes 45295, flags UIO

The flags at the end will tell you in the above case that the connection is U = UP, I = has inbound data, O = has outbound data.

To get more info about the different "flags" use the command "show conn detail". At the very start it will list all the "flags"

Also as you have seen the message "Teardown TCP connection...:." ending with SYN Timeout reason will tell you that the SYN ACK hasnt been received. The same can also be determined with "show conn" command. With a remote host not responding the flags will naturally be different from the above working situation.

- Jouni

View solution in original post

Hello Mahesh,

You should create captures to confirm if you are receiving the SYN-ack

capture capin interface inside match tcp host  inside_local_ host _ip  host  outside_host_ip eq tcp_destination_port

capture capout interface outside match tcp host inside_global_host_ip host outside_host_ip eq tcp_destination_port

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

On the other hand,

If looking from local problems, the only one I can think of right now (related to the ASA firewall) is that there is some problem with NAT. For example the connection is getting NATed to wrong NAT IP address which isnt either allowed at the remote end or the NAT IP isnt routable in the network where the connection is destined (For example L2L VPNs)

- Jouni

View solution in original post

7 Replies 7

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Mahesh,

That log leads  us to think the other host is not replying back to us or the SYN-ACK  is getting lost on the internet,

You could run some captures on the ASA so to make sure you are not receiveing the SYN-ACK,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

If other host is working ok then  we should see  syn ack  in logs to confirm our connection is established with remote host right?

Thanks

Mahesh

The actual SYN ACK wont show in any firewall logs. Only in packet captures.

When the ASA firewall sees a SYN coming from the host initiating the connection it will show the log message starting with "Built outbound TCP connection......" (Provided the connection has been allowed by the firewall)

To see if the connection got a SYN ACK from the remote host you will need to check the connections state with "show conn" command for example.

You should see something like this

TCP WAN 173.x.x.x:443 LAN 10.0.0.10:49517, idle 0:00:15, bytes 45295, flags UIO

The flags at the end will tell you in the above case that the connection is U = UP, I = has inbound data, O = has outbound data.

To get more info about the different "flags" use the command "show conn detail". At the very start it will list all the "flags"

Also as you have seen the message "Teardown TCP connection...:." ending with SYN Timeout reason will tell you that the SYN ACK hasnt been received. The same can also be determined with "show conn" command. With a remote host not responding the flags will naturally be different from the above working situation.

- Jouni

Hello Mahesh,

You should create captures to confirm if you are receiving the SYN-ack

capture capin interface inside match tcp host  inside_local_ host _ip  host  outside_host_ip eq tcp_destination_port

capture capout interface outside match tcp host inside_global_host_ip host outside_host_ip eq tcp_destination_port

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Most of the cases (that I've run into) this has been an indication of problem at the remote end. (Well regarding the local firewall it can only be about some remote device since it doesnt see the SYN ACK)

Problems can be:

  • Connection is blocked by a remote firewall or firewall somewhere in between
  • Connection is blocked by the remote hosts own firewall (software)
  • Connections SYN arrives to the remote host but a routing problem exists which forward the SYN ACK in a wrong way.
  • Theres an outage in the remote end service you are trying to reach
  • Some other equipment is filtering the traffic in between

And as Julio said, packet capture is the best way to determine what is happening. You can do this either on ASA or straight on your own computer with Wireshark for example.

- Jouni

On the other hand,

If looking from local problems, the only one I can think of right now (related to the ASA firewall) is that there is some problem with NAT. For example the connection is getting NATed to wrong NAT IP address which isnt either allowed at the remote end or the NAT IP isnt routable in the network where the connection is destined (For example L2L VPNs)

- Jouni

Hi Joulio & Jouni,

You did very good explanation on  SYN Timeout.

I confirmed with vendor that issue is at there side.

Best regards

Mahesh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: