12-02-2011 09:18 AM - edited 03-11-2019 02:58 PM
Hello All,
I need help on these;
I have a HP Printer (HP Color LaserJet CM2320nf MFP), behind a Cisco ASA5505 Firewall.
I have been accessing this before until last week , I cannot any more. Also i cannot send scan document through it
Here is the Topology />>>>VM Ware-server
/
| |- - - - ->>>>>IP Phone & PC
===<<Internet>>>==>ASA5505======>ciscoSwitch2960|--------->>>>>IP Phone & PC
|- -- - - - >>>>PC
\
\->>>>>HP Color LaserJet CM2320nf MFP
* I can access ASA5505 with Https & Cisco Switch with https remotely
* I can Ping all devices behind the firewall & Switch remotely
* Two people in my office with the same subnet 10.10.44.0/24 can ping & HTTPS/http to ASA,Switch & HP printer
* I have VPN Tunnel up & connected to Remote site
Check Attachment for Configurations
Thanks
DaK
12-02-2011 03:42 PM
Hello Davy,
In this case the most recommended troubleshooting step would be to do some captures to see whats going on.
I do not know the source and destiantion (printer) ip address, so I will give you a document so you can perdorm the captures and let us know the results.
https://supportforums.cisco.com/docs/DOC-1222
Please rate helpful posts
Julio
12-05-2011 04:05 AM
Hello Jcarvaja,
Thanks for your response , i tried what is in document link you sent, but i could not get any information .
My Source IP address if from Remote site with VPN connection to Destination , Printer's Site.
Source subnet = 10.10.44.0/24 my PC is 10.10.44.23
Destination = 10.10.1.0/24 ( LAN Subnet of the Printer site ) and the Printer IP address is 10.10.1.198
My Cisco ASA is 5505 version 8.4 and these are my commands;
Capture PRINTER-CAPTURE_1 interface inside match tcp host 10.10.44.50 host 10.10.1.198 eq 80
Capture PRINTER-CAPTURE_1 interface inside buffer 1000000 packet 1522 trace trace-count 1000
Capture PRINTER-CAPTURE_1 interface outside buffer 1000000 packet 1522 trace trace-count 1000
and show capture output ;
ASA5505# sh capture PRINTER-CAPTURE_1
=
62: 14:19:05.576355 802.1Q vlan#1 P0 10.10.44.50.59427 > 10.10.1.198.80: P 2745432908:2745433195(287) ack 45352991 win 16560
63: 14:19:05.576630 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59427: . ack 2745433195 win 7993
64: 14:19:05.576859 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59427: P 45352991:45353080(89) ack 2745433195 win 7993
65: 14:19:05.576920 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59427: FP 45353080:45353080(0) ack 2745433195 win 7993
66: 14:19:05.581680 802.1Q vlan#1 P0 10.10.44.50.59428 > 10.10.1.198.80: . ack 45490856 win 16560
67: 14:19:05.588699 802.1Q vlan#1 P0 10.10.44.50.59428 > 10.10.1.198.80: P 3148480111:3148480396(285) ack 45490856 win 16560
68: 14:19:05.588958 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: . ack 3148480396 win 7995
69: 14:19:05.589523 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: P 45490856:45491368(512) ack 3148480396 win 7995
70: 14:19:05.590270 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: . 45491368:45492748(1380) ack 3148480396 win 7995
71: 14:19:05.590850 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: . 45492748:45494128(1380) ack 3148480396 win 7995
72: 14:19:05.632535 802.1Q vlan#1 P0 10.10.44.50.59421 > 10.10.1.1988.80: F 3008331229:3008331229(0) ack 38850175 win 16432
73: 14:19:05.633145 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59421: . 38851555:38852935(1380) ack 3008331230 win 8003
74: 14:19:05.655941 802.1Q vlan#1 P0 10.10.44.50.59427 > 10.10.1.198.80: . ack 45353081 win 16537
75: 14:19:05.656231 802.1Q vlan#1 P0 10.10.44.50.59427 > 10.10.1.198.80: F 2745433195:2745433195(0) ack 45353081 win 16537
76: 14:19:05.656414 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50..59427: . ack 2745433196 win 7992
77: 14:19:05.665996 802.1Q vlan#1 P0 10.10.44.50.59422 > 10.10.1.198.80: F 1200183666:1200183666(0) ack 39038817 win 16432
Could anyone explaine while packect was drop please ?
====================================
Regards,
DaK
Message was edited by: Davy Ad
12-05-2011 07:41 AM
Dec 5, 2011 7:09 AM (in response to jcarvaja)
Re: Help on accessing Device from remotely
Hello Jcarvaja,
Thanks for your response , i tried what is in document link you sent, but i could not get any information .
My Source IP address if from Remote site with VPN connection to Destination , Printer's Site.
Source subnet = 10.10.44.0/24 my PC is 10.10.44.23
Destination = 10.10.1.0/24 ( LAN Subnet of the Printer site ) and the Printer IP address is 10.10.1.198
My Cisco ASA is 5505 version 8.4 and these are my commands;
Capture PRINTER-CAPTURE_1 interface inside match tcp host 10.10.44.50 host 10.10.1.198 eq 80
Capture PRINTER-CAPTURE_1 interface inside buffer 1000000 packet 1522 trace trace-count 1000
Capture PRINTER-CAPTURE_1 interface outside buffer 1000000 packet 1522 trace trace-count 1000
and show capture output ;
ASA5505# sh capture PRINTER-CAPTURE_1
=
62: 14:19:05.576355 802.1Q vlan#1 P0 10.10.44.50.59427 > 10.10.1.198.80: P 2745432908:2745433195(287) ack 45352991 win 16560
63: 14:19:05.576630 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59427: . ack 2745433195 win 7993
64: 14:19:05.576859 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59427: P 45352991:45353080(89) ack 2745433195 win 7993
65: 14:19:05.576920 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59427: FP 45353080:45353080(0) ack 2745433195 win 7993
66: 14:19:05.581680 802.1Q vlan#1 P0 10.10.44.50.59428 > 10.10.1.198.80: . ack 45490856 win 16560
67: 14:19:05.588699 802.1Q vlan#1 P0 10.10.44.50.59428 > 10.10.1.198.80: P 3148480111:3148480396(285) ack 45490856 win 16560
68: 14:19:05.588958 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: . ack 3148480396 win 7995
69: 14:19:05.589523 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: P 45490856:45491368(512) ack 3148480396 win 7995
70: 14:19:05.590270 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: . 45491368:45492748(1380) ack 3148480396 win 7995
71: 14:19:05.590850 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: . 45492748:45494128(1380) ack 3148480396 win 7995
72: 14:19:05.632535 802.1Q vlan#1 P0 10.10.44.50.59421 > 10.10.1.1988.80: F 3008331229:3008331229(0) ack 38850175 win 16432
73: 14:19:05.633145 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59421: . 38851555:38852935(1380) ack 3008331230 win 8003
74: 14:19:05.655941 802.1Q vlan#1 P0 10.10.44.50.59427 > 10.10.1.198.80: . ack 45353081 win 16537
75: 14:19:05.656231 802.1Q vlan#1 P0 10.10.44.50.59427 > 10.10.1.198.80: F 2745433195:2745433195(0) ack 45353081 win 16537
76: 14:19:05.656414 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50..59427: . ack 2745433196 win 7992
77: 14:19:05.665996 802.1Q vlan#1 P0 10.10.44.50.59422 > 10.10.1.198.80: F 1200183666:1200183666(0) ack 39038817 win 16432
Could anyone explaine this please ?
====================================
Regards,
DaK
12-05-2011 08:25 AM
Hello Davy,
So the communication is between a remote PC on another site ( Site-toSite VPN).In this case you will need to create the captures on the inside interfaces of both end-points, where the traffic is not encrypted.
Also can you create the following capture:
capture asp type asp-drop all
And then provide us the following:
Show capture asp | include printer_ip_add
This will show us if there are packets being dropped by the ASA algorithm.
Please rate hlepful posts.
Julio!
12-06-2011 06:53 AM
Hello,
I applied all commands you requested for, but at my ASA (REMOTE-ASAFW-C5505#) there is no Packet drop.
AT Printer's ASA ( Printer-ASAFW-C5505#) ,it shows only 7 packets captured .
REMOTE-ASAFW-C5505# sh capture PRINTER-CAPTURE_REMOTE-PC
0 packet captured
0 packet shown
============
Printer-ASAFW-C5505# sh capture PRINTER-CAPTURE_LAN_INSIDE
7 packets captured
1: 15:25:20.633786 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.55161: . 3670903544:3670904924(1380) ack 1395853171 win 7995
2: 15:26:08.259996 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.55160: . 3670726384:3670727764(1380) ack 1311056836 win 8004
3: 15:26:10.588073 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.55161: . 3670903544:3670904924(1380) ack 1395853171 win 7995
4: 15:27:00.532336 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.55161: . 3670903544:3670904924(1380) ack 1395853171 win 7995
5: 15:27:07.817737 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.55160: . 3670726384:3670727764(1380) ack 1311056836 win 8004
6: 15:27:50.476110 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.55161: R 3670904924:3670904924(0) win 0
7: 15:28:07.365505 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.55160: . 3670726384:3670727764(1380) ack 1311056836 win 8004
Printer-ASAFW-C5505# capture ASP type asp-drop all
Printer-ASAFW-C5505# capture ASP type asp-drop all
< EMPTY/NO OUPUT>
Printer-ASAFW-C5505# Show capture ASP | include 10.10.1.198
< EMPTY / NO OUTPUT>
**NB; Could you explaine to me what is R, P, FP, S & . ; means in the output result please
Thanks
DaK
12-06-2011 09:26 AM
Hello Davy,
We can see that there are no drops by the ASA (Capture ASP is empty) now on the Printer_Capture we can see there are some regular ack packets but also we can see a reset (R) :
P0 10.10.1.198.80 > 10.10.44.50.55161: R 3670904924:3670904924(0) win 0
So the communication is being ended by that particular reset packet, you will need to do a capture on the PC with wireshark to check if the compture is the one sending the reset or if its the Printer.
I think that will lead us to the bottom of this issue.
Please rate helpful posts.
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide