Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1109
Views
15
Helpful
6
Replies

Help Analyzing TCP Dump from ASA

CiscoPurpleBelt
Level 6
Level 6

‎02-21-2019 03:36 PM - edited ‎02-21-2020 08:50 AM

 So when attempting to access a site or web page never loads. The site address is Pingable. Sometimes I may get that "Site not secure error do I wish to proceed" I click yes but then nothing just a blank page.

I have attached the Wireshark screenshot (most of TCP entries are shown - could not get it all to fit in screenshot I had to take because I had to block out the IPs) of the Ingress interface only - egress had no data captured. Let me know if you need to see data from each entry.

The .98 is my machine and the .20 it the website. Any help deciphering the output is appreciated!

Preview file
72 KB
0 Helpful
6 Replies 6

Rahul Govindan
VIP Alumni
VIP Alumni

‎02-22-2019 03:01 PM

Difficult to say with just one side of the data. But from the picture, it looks like the TLS handshake is completed and encrypted data is being sent across (packet#47 onwards). Since this is encrypted, Wireshark does not know any other details inside the TLS header. 

 

Have you tried accessing the website from another location to see if get the page loaded? Also, how about capturing the Wireshark data from the client machine to match with what you get from the ASA?

 

CiscoPurpleBelt
Level 6
Level 6
In response to Rahul Govindan

‎02-24-2019 02:11 PM

Have you tried accessing the website from another location to see if get the page loaded?
No not yet, I plan on trying.

Also, how about capturing the Wireshark data from the client machine to match with what you get from the ASA?
I made another post from a client machine. I will get post link for you.

0 Helpful

venkat_n7
Level 1
Level 1

‎02-23-2019 08:50 AM

did you see logs on ips during this connection ?

Please rate comments and support
with regards,
Venkat

CiscoPurpleBelt
Level 6
Level 6
In response to venkat_n7

‎02-24-2019 02:12 PM

No nothing that stands out on logs. Which IPS are you referring to, the ASA does not have a module or services.
0 Helpful

Marius Gunnerud
VIP
VIP

‎02-23-2019 02:12 PM - edited ‎02-23-2019 02:13 PM

How did you setup your capture on the egress interface? You would need to use the translated IP as the source IP.  If you did use the translated source IP then there is an issue on the ASA.  Are you redirecting traffic to the FirePOWËR module in the ASA?

 

I am assuming that you are able to access the website when traffic does not go through the ASA?  i.e. if you tether your PC though your mobile phone (disconnect the mobile from the wireless network).

--
Please remember to select a correct answer and rate helpful posts

CiscoPurpleBelt
Level 6
Level 6
In response to Marius Gunnerud

‎02-24-2019 02:19 PM

How did you setup your capture on the egress interface? You would need to use the translated IP as the source IP.  If you did use the translated source IP then there is an issue on the ASA.  Are you redirecting traffic to the FirePOWËR module in the ASA? I used the ip of the website as the destination (public) and the source IP of user machine as source which is also public. There is no FirePower module in the ASA. There is a Firepower on a VM or something - I am not too familiar with the whole setup. How can I tell?

 

I am assuming that you are able to access the website when traffic does not go through the ASA?  i.e. if you tether your PC though your mobile phone (disconnect the mobile from the wireless network). I believe so but I am not sure. It is a special site that requires to be accessed via internal network. I can try and do some tests and get back to you.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card