Re: FTD 1010 - URL shows as trusted, but times out before connecting

GreatCthulhu · ‎07-21-2023

Hello!

I have an FTD 1010, running FMC 7.0.4-55. We are trying to access a website, https://tx.c2tinc.com/register, and it consistently times out when accessed from behind the FTD. When I filter the traffic to view the connection from my IP as the source, I see the destination traffic and it shows as trusted, but I cannot connect. I am relatively new to FTD/FMC, so any pointers are greatly appreciated.

Thanks!

GC

Rob Ingram · ‎07-21-2023

@GreatCthulhu as traffic natted? I'd expect to see NAT information in your output.

GreatCthulhu · ‎07-21-2023

@Rob Ingram - I have a standard inside-outside NAT rule created. I should also mention that this device has been in use for almost a year, and we are not having any known issues apart from the timeouts on this one website.

Rob Ingram · ‎07-21-2023

@GreatCthulhu ok, please run packet tracer from the CLI to simulate the traffic flow to this webserver, provide the output for review.

GreatCthulhu · ‎07-21-2023

@Rob Ingram

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop x.x.x.x using egress ifc outside(vrfid:0)

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc ins ide any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_ Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rul e
object-group service |acSvcg-268435457
service-object ip
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) after-auto source dynamic any-ipv4 interface
Additional Information:
Dynamic translate 192.168.95.67/443 to x.x.x.x/61670

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) after-auto source dynamic any-ipv4 interface
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 96522101, packet dispatched to next module

Phase: 11
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information:
Found next-hop x.x.x.x using egress ifc outside(vrfid:0)

Phase: 12
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Config:
Additional Information:
Found adjacency entry for Next-hop x.x.x.x on interface outside
Adjacency :Active
MAC address x.x.x.x hits 130 reference 2932

Result:
input-interface: inside(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: allow

So this looks like it is successful? Perhaps the issue is on their side, then? Thanks in advance for your help!

Rob Ingram · ‎07-21-2023

@GreatCthulhu that output looks ok.

From the CLI of the FTD run "system support firewall-engine-debug" apply a filter, access the webpage and observe the output.

You can also take a packet capture to confirm the 3 way handshake completes and therefore a response from the website.

GreatCthulhu · ‎07-21-2023

@Rob Ingram

Output:

> system support firewall-engine-debug
tcp
Please specify an IP protocol:
Please specify a client IP address: 192.168.95.67
Please specify a client port:
Please specify a server IP address: 66.210.199.157
Please specify a server port: 443
Monitoring firewall engine debug messages

192.168.95.67 52645 -> 66.210.199.157 443 6 AS=0 ID=0 GR=1-1 Got start of flow event from hardware with flags 00006001
192.168.95.67 52646 -> 66.210.199.157 443 6 AS=0 ID=1 GR=1-1 Got start of flow event from hardware with flags 00006001
192.168.95.67 52649 -> 66.210.199.157 443 6 AS=0 ID=1 GR=1-1 Got start of flow event from hardware with flags 00006001
192.168.95.67 52645 -> 66.210.199.157 443 6 AS=0 ID=0 GR=1-1 Got end of flow event from hardware with flags 00006001
192.168.95.67 52646 -> 66.210.199.157 443 6 AS=0 ID=1 GR=1-1 Got end of flow event from hardware with flags 00006001
192.168.95.67 52645 -> 66.210.199.157 443 6 AS=0 ID=0 GR=1-1 Rule Match Data: rule_id 0, rule_action 0 rev_id 0, rule_flags 0
192.168.95.67 52646 -> 66.210.199.157 443 6 AS=0 ID=1 GR=1-1 Rule Match Data: rule_id 0, rule_action 0 rev_id 0, rule_flags 0
192.168.95.67 52649 -> 66.210.199.157 443 6 AS=0 ID=1 GR=1-1 Got end of flow event from hardware with flags 00006001
192.168.95.67 52649 -> 66.210.199.157 443 6 AS=0 ID=1 GR=1-1 Rule Match Data: rule_id 0, rule_action 0 rev_id 0, rule_flags 0

Wireshark just shows a pile of retransmits, but I do not at at point see an ack.

I threw in a traceroute, and I see that the traffic is leaving my network (in KS), and it looks like it's going down to TX and then back to OK before the replies stop.

Thoughts? And thanks again for the help.

Rob Ingram · ‎07-21-2023

@GreatCthulhu seems like there is no response. Is it likely they'd block your public IP?

MHM Cisco World · ‎07-22-2023

Hi friend'

I follow your case but I was busy'

Now please share capture inside and outside FPR interface.

Note:- use filter in capture of wireshark' select source and destiantion' or destination only.

Marius Gunnerud · ‎07-22-2023

How have you configured your access rule? Do you have IPS configured? If yes, try disabling it.

My original thought was the website doing a redirection, but it looks like you have an any any rule configured.

--
Please remember to select a correct answer and rate helpful posts