Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
792
Views
0
Helpful
1
Replies

Internet issues with PAT

JDMJeffy84
Level 1
Level 1

‎02-20-2013 06:29 AM - edited ‎03-11-2019 06:03 PM

Hi guys,

Got a strange problem I'm seeing on Cisco ASA firewalls.

Scenario: Clients can access the Internet via PAT on ASA.

Clients are on Wireless, they can happily surf the Internet connected to one AP

Issue is when they ROAM, they can roam get same IP Address but they cannot connect to the Internet. They can only access the Internet if they dis-associate from SSID and re-associate.

What I noticed on the Syslogs is SYN Timeout, TCP denied... Not sure what is going on

Feb 20 2013 11:52:51  : %ASA-6-302014: Teardown TCP connection 33015359 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/33724 duration 0:00:30 bytes 0 SYN Timeout

Feb 20 2013 11:52:51  : %ASA-6-302014: Teardown TCP connection 33015358 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/41186 duration 0:00:30 bytes 0 SYN Timeout

Feb 20 2013 11:52:51  : %ASA-6-302014: Teardown TCP connection 33015347 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/38518 duration 0:00:30 bytes 0 SYN Timeout

Feb 20 2013 11:52:49  : %ASA-6-302013: Built outbound TCP connection 33016459 for outside:212.58.244.70/80 (212.58.244.70/80) to wireless_guest:CLIENT ADD/33738 (PAT ADD/33738)

Feb 20 2013 11:52:48  : %ASA-4-106100: access-list INBOUND denied tcp outside/212.58.244.70(80) -> wireless_guest/CLIENT ADD(49128) hit-cnt 1 first hit [0x6be0682a, 0x0]

Feb 20 2013 11:52:46  : %ASA-6-302014: Teardown TCP connection 33015092 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/49128 duration 0:00:30 bytes 0 SYN Timeout

Feb 20 2013 11:52:44  : %ASA-6-302013: Built outbound TCP connection 33016219 for outside:212.58.244.70/80 (212.58.244.70/80) to wireless_guest:CLIENT ADD/46359 (PAT ADD/46359)

Feb 20 2013 11:52:43  : %ASA-4-106100: access-list INBOUND denied tcp outside/212.58.244.70(80) -> wireless_guest/CLIENT ADD(42606) hit-cnt 1 first hit [0x6be0682a, 0x0]

Feb 20 2013 11:52:41  : %ASA-6-302014: Teardown TCP connection 33014893 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/42606 duration 0:00:30 bytes 0 SYN Timeout

Feb 20 2013 11:52:39  : %ASA-6-302013: Built outbound TCP connection 33016037 for outside:212.58.244.70/80 (212.58.244.70/80) to wireless_guest:CLIENT ADD/46379 (PAT ADD/46379)Feb 20 2013 11:52:51  : %ASA-6-302014: Teardown TCP connection 33015359 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/33724 duration 0:00:30 bytes 0 SYN Timeout
Feb 20 2013 11:52:51  : %ASA-6-302014: Teardown TCP connection 33015358 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/41186 duration 0:00:30 bytes 0 SYN Timeout
Feb 20 2013 11:52:51  : %ASA-6-302014: Teardown TCP connection 33015347 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/38518 duration 0:00:30 bytes 0 SYN Timeout
Feb 20 2013 11:52:49  : %ASA-6-302013: Built outbound TCP connection 33016459 for outside:212.58.244.70/80 (212.58.244.70/80) to wireless_guest:CLIENT ADD/33738 (PAT ADD/33738)
Feb 20 2013 11:52:48  : %ASA-4-106100: access-list INBOUND denied tcp outside/212.58.244.70(80) -> wireless_guest/CLIENT ADD(49128) hit-cnt 1 first hit [0x6be0682a, 0x0]
Feb 20 2013 11:52:46  : %ASA-6-302014: Teardown TCP connection 33015092 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/49128 duration 0:00:30 bytes 0 SYN Timeout
Feb 20 2013 11:52:44  : %ASA-6-302013: Built outbound TCP connection 33016219 for outside:212.58.244.70/80 (212.58.244.70/80) to wireless_guest:CLIENT ADD/46359 (PAT ADD/46359)
Feb 20 2013 11:52:43  : %ASA-4-106100: access-list INBOUND denied tcp outside/212.58.244.70(80) -> wireless_guest/CLIENT ADD(42606) hit-cnt 1 first hit [0x6be0682a, 0x0]
Feb 20 2013 11:52:41  : %ASA-6-302014: Teardown TCP connection 33014893 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/42606 duration 0:00:30 bytes 0 SYN Timeout
Feb 20 2013 11:52:39  : %ASA-6-302013: Built outbound TCP connection 33016037 for outside:212.58.244.70/80 (212.58.244.70/80) to wireless_guest:CLIENT ADD/46379 (PAT ADD/46379)

Labels:
0 Helpful
1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

‎02-28-2013 08:37 PM

Hello Sr,

Really weird issue,

Is there a way we could create captures on the outside interface when the issue happens?

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

Then we will get to the solution or at least close enough

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card