Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3326
Views
0
Helpful
5
Replies

How to prove a firewall is killing a TCP session?

ryancisco01
Level 1
Level 1

‎04-06-2015 08:50 PM - edited ‎03-11-2019 10:44 PM

How to tell if a firewall is killing a session?

 

If I have a tcp connection between Host A and server B with a firewall in between, lets say its ftp, and the user reports the ftp session is disconnecting how do we prove what is really going on.

 

Lets say the firewall is running ftp inspection and does indeed kill the session for whatever reason, I can only assume the firewall will send the tcp RST packet using a source IP of the server, not itself (ie the host wouldn't accept a RST for a session from a different IP address right?)

 

So if I am capturing packets, whether it be on wireshark on the host itself and/or packet capture on the firewall how can I tell where the reset originated from? Lets say for fun sake I cant do anything like show conn or show inspection and all I have access to is packet capture from the firewall. Are there any flags set that will indicate this?

 

 

 

Labels:
0 Helpful
5 Replies 5

johnlloyd_13
Level 9
Level 9

‎04-06-2015 08:54 PM

hi,

you can use the packet tracer feature/command on the ASA.

0 Helpful

ryancisco01
Level 1
Level 1
In response to johnlloyd_13

‎04-06-2015 09:47 PM

packet tracer shows layer 4 information, it wont show me how the firewall will behave if it receives invalid layer 7 information or something not doing a correct tcp handshake.

 

If you want to try this for yourself, enable smtp inspection, telnet to a mail server from a windows command prompt then type a command like "ehlo" you will see session disconnected or just no response, turn off smtp inspection, repeat test you will receive a reply from the mail server. 

 

In that same example packet tracer would show the connection as permitted, so the network engineer would tell the server engineer the traffic is permitted however in reality the firewall is bjorking the traffic. This probably isnt the best example for what I am trying to do but it proves the same point. 

0 Helpful

Evgeny Taskaev
Level 1
Level 1
In response to ryancisco01

‎04-07-2015 01:59 AM

If you want to prove that firewall stops a TCP session (not server) i suggest you start packet capture between host and server on both interfaces of ASA, which traffic crosses.
So, compare two captures of the TCP session you can see, who indeed send RST packet or what is going on.
Who knows, may be it is not ASA inspection issue. I would take a look at the captures. For fun sake.

0 Helpful

ryancisco01
Level 1
Level 1
In response to Evgeny Taskaev

‎04-07-2015 04:07 PM

Well yes I guess that would be the logical way.

 

I don't actually have a fault or anything, I am just curious and trying to learn!!

 

Seems ASA doesnt have a way of reporting when it sends the RST itself other than figuring it out for yourself with captures!

0 Helpful

Evgeny Taskaev
Level 1
Level 1
In response to ryancisco01

‎04-08-2015 03:05 AM

I think we are complicating a problem with packet capture :-).
What about ASA logs? Deletion of a TCP connection should go along with "Teardown" message. 
So "Teardown" log entry contains a reason.
There are list of them http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4770614

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card