12-02-2011 09:18 AM - edited 03-11-2019 02:58 PM
Hello All,
I need help on these;
I have a HP Printer (HP Color LaserJet CM2320nf MFP), behind a Cisco ASA5505 Firewall.
I have been accessing this before until last week , I cannot any more. Also i cannot send scan document through it
Here is the Topology />>>>VM Ware-server
/
| |- - - - ->>>>>IP Phone & PC
===<<Internet>>>==>ASA5505======>ciscoSwitch2960|--------->>>>>IP Phone & PC
|- -- - - - >>>>PC
\
\->>>>>HP Color LaserJet CM2320nf MFP
* I can access ASA5505 with Https & Cisco Switch with https remotely
* I can Ping all devices behind the firewall & Switch remotely
* Two people in my office with the same subnet 10.10.44.0/24 can ping & HTTPS/http to ASA,Switch & HP printer
* I have VPN Tunnel up & connected to Remote site
Check Attachment for Configurations
Thanks
DaK
12-02-2011 03:42 PM
Hello Davy,
In this case the most recommended troubleshooting step would be to do some captures to see whats going on.
I do not know the source and destiantion (printer) ip address, so I will give you a document so you can perdorm the captures and let us know the results.
https://supportforums.cisco.com/docs/DOC-1222
Please rate helpful posts
Julio
12-05-2011 04:05 AM
Hello Jcarvaja,
Thanks for your response , i tried what is in document link you sent, but i could not get any information .
My Source IP address if from Remote site with VPN connection to Destination , Printer's Site.
Source subnet = 10.10.44.0/24 my PC is 10.10.44.23
Destination = 10.10.1.0/24 ( LAN Subnet of the Printer site ) and the Printer IP address is 10.10.1.198
My Cisco ASA is 5505 version 8.4 and these are my commands;
Capture PRINTER-CAPTURE_1 interface inside match tcp host 10.10.44.50 host 10.10.1.198 eq 80
Capture PRINTER-CAPTURE_1 interface inside buffer 1000000 packet 1522 trace trace-count 1000
Capture PRINTER-CAPTURE_1 interface outside buffer 1000000 packet 1522 trace trace-count 1000
and show capture output ;
ASA5505# sh capture PRINTER-CAPTURE_1
=
62: 14:19:05.576355 802.1Q vlan#1 P0 10.10.44.50.59427 > 10.10.1.198.80: P 2745432908:2745433195(287) ack 45352991 win 16560
63: 14:19:05.576630 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59427: . ack 2745433195 win 7993
64: 14:19:05.576859 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59427: P 45352991:45353080(89) ack 2745433195 win 7993
65: 14:19:05.576920 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59427: FP 45353080:45353080(0) ack 2745433195 win 7993
66: 14:19:05.581680 802.1Q vlan#1 P0 10.10.44.50.59428 > 10.10.1.198.80: . ack 45490856 win 16560
67: 14:19:05.588699 802.1Q vlan#1 P0 10.10.44.50.59428 > 10.10.1.198.80: P 3148480111:3148480396(285) ack 45490856 win 16560
68: 14:19:05.588958 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: . ack 3148480396 win 7995
69: 14:19:05.589523 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: P 45490856:45491368(512) ack 3148480396 win 7995
70: 14:19:05.590270 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: . 45491368:45492748(1380) ack 3148480396 win 7995
71: 14:19:05.590850 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: . 45492748:45494128(1380) ack 3148480396 win 7995
72: 14:19:05.632535 802.1Q vlan#1 P0 10.10.44.50.59421 > 10.10.1.1988.80: F 3008331229:3008331229(0) ack 38850175 win 16432
73: 14:19:05.633145 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59421: . 38851555:38852935(1380) ack 3008331230 win 8003
74: 14:19:05.655941 802.1Q vlan#1 P0 10.10.44.50.59427 > 10.10.1.198.80: . ack 45353081 win 16537
75: 14:19:05.656231 802.1Q vlan#1 P0 10.10.44.50.59427 > 10.10.1.198.80: F 2745433195:2745433195(0) ack 45353081 win 16537
76: 14:19:05.656414 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50..59427: . ack 2745433196 win 7992
77: 14:19:05.665996 802.1Q vlan#1 P0 10.10.44.50.59422 > 10.10.1.198.80: F 1200183666:1200183666(0) ack 39038817 win 16432
Could anyone explaine while packect was drop please ?
====================================
Regards,
DaK
Message was edited by: Davy Ad
12-05-2011 07:41 AM
Dec 5, 2011 7:09 AM (in response to jcarvaja)
Re: Help on accessing Device from remotely
Hello Jcarvaja,
Thanks for your response , i tried what is in document link you sent, but i could not get any information .
My Source IP address if from Remote site with VPN connection to Destination , Printer's Site.
Source subnet = 10.10.44.0/24 my PC is 10.10.44.23
Destination = 10.10.1.0/24 ( LAN Subnet of the Printer site ) and the Printer IP address is 10.10.1.198
My Cisco ASA is 5505 version 8.4 and these are my commands;
Capture PRINTER-CAPTURE_1 interface inside match tcp host 10.10.44.50 host 10.10.1.198 eq 80
Capture PRINTER-CAPTURE_1 interface inside buffer 1000000 packet 1522 trace trace-count 1000
Capture PRINTER-CAPTURE_1 interface outside buffer 1000000 packet 1522 trace trace-count 1000
and show capture output ;
ASA5505# sh capture PRINTER-CAPTURE_1
=
62: 14:19:05.576355 802.1Q vlan#1 P0 10.10.44.50.59427 > 10.10.1.198.80: P 2745432908:2745433195(287) ack 45352991 win 16560
63: 14:19:05.576630 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59427: . ack 2745433195 win 7993
64: 14:19:05.576859 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59427: P 45352991:45353080(89) ack 2745433195 win 7993
65: 14:19:05.576920 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59427: FP 45353080:45353080(0) ack 2745433195 win 7993
66: 14:19:05.581680 802.1Q vlan#1 P0 10.10.44.50.59428 > 10.10.1.198.80: . ack 45490856 win 16560
67: 14:19:05.588699 802.1Q vlan#1 P0 10.10.44.50.59428 > 10.10.1.198.80: P 3148480111:3148480396(285) ack 45490856 win 16560
68: 14:19:05.588958 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: . ack 3148480396 win 7995
69: 14:19:05.589523 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: P 45490856:45491368(512) ack 3148480396 win 7995
70: 14:19:05.590270 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: . 45491368:45492748(1380) ack 3148480396 win 7995
71: 14:19:05.590850 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59428: . 45492748:45494128(1380) ack 3148480396 win 7995
72: 14:19:05.632535 802.1Q vlan#1 P0 10.10.44.50.59421 > 10.10.1.1988.80: F 3008331229:3008331229(0) ack 38850175 win 16432
73: 14:19:05.633145 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.59421: . 38851555:38852935(1380) ack 3008331230 win 8003
74: 14:19:05.655941 802.1Q vlan#1 P0 10.10.44.50.59427 > 10.10.1.198.80: . ack 45353081 win 16537
75: 14:19:05.656231 802.1Q vlan#1 P0 10.10.44.50.59427 > 10.10.1.198.80: F 2745433195:2745433195(0) ack 45353081 win 16537
76: 14:19:05.656414 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50..59427: . ack 2745433196 win 7992
77: 14:19:05.665996 802.1Q vlan#1 P0 10.10.44.50.59422 > 10.10.1.198.80: F 1200183666:1200183666(0) ack 39038817 win 16432
Could anyone explaine this please ?
====================================
Regards,
DaK
12-05-2011 08:25 AM
Hello Davy,
So the communication is between a remote PC on another site ( Site-toSite VPN).In this case you will need to create the captures on the inside interfaces of both end-points, where the traffic is not encrypted.
Also can you create the following capture:
capture asp type asp-drop all
And then provide us the following:
Show capture asp | include printer_ip_add
This will show us if there are packets being dropped by the ASA algorithm.
Please rate hlepful posts.
Julio!
12-06-2011 06:53 AM
Hello,
I applied all commands you requested for, but at my ASA (REMOTE-ASAFW-C5505#) there is no Packet drop.
AT Printer's ASA ( Printer-ASAFW-C5505#) ,it shows only 7 packets captured .
REMOTE-ASAFW-C5505# sh capture PRINTER-CAPTURE_REMOTE-PC
0 packet captured
0 packet shown
============
Printer-ASAFW-C5505# sh capture PRINTER-CAPTURE_LAN_INSIDE
7 packets captured
1: 15:25:20.633786 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.55161: . 3670903544:3670904924(1380) ack 1395853171 win 7995
2: 15:26:08.259996 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.55160: . 3670726384:3670727764(1380) ack 1311056836 win 8004
3: 15:26:10.588073 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.55161: . 3670903544:3670904924(1380) ack 1395853171 win 7995
4: 15:27:00.532336 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.55161: . 3670903544:3670904924(1380) ack 1395853171 win 7995
5: 15:27:07.817737 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.55160: . 3670726384:3670727764(1380) ack 1311056836 win 8004
6: 15:27:50.476110 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.55161: R 3670904924:3670904924(0) win 0
7: 15:28:07.365505 802.1Q vlan#1 P0 10.10.1.198.80 > 10.10.44.50.55160: . 3670726384:3670727764(1380) ack 1311056836 win 8004
Printer-ASAFW-C5505# capture ASP type asp-drop all
Printer-ASAFW-C5505# capture ASP type asp-drop all
< EMPTY/NO OUPUT>
Printer-ASAFW-C5505# Show capture ASP | include 10.10.1.198
< EMPTY / NO OUTPUT>
**NB; Could you explaine to me what is R, P, FP, S & . ; means in the output result please
Thanks
DaK
12-06-2011 09:26 AM
Hello Davy,
We can see that there are no drops by the ASA (Capture ASP is empty) now on the Printer_Capture we can see there are some regular ack packets but also we can see a reset (R) :
P0 10.10.1.198.80 > 10.10.44.50.55161: R 3670904924:3670904924(0) win 0
So the communication is being ended by that particular reset packet, you will need to do a capture on the PC with wireshark to check if the compture is the one sending the reset or if its the Printer.
I think that will lead us to the bottom of this issue.
Please rate helpful posts.
Julio
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: