Internet issues with PAT
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-20-2013 06:29 AM - edited 03-11-2019 06:03 PM
Hi guys,
Got a strange problem I'm seeing on Cisco ASA firewalls.
Scenario: Clients can access the Internet via PAT on ASA.
Clients are on Wireless, they can happily surf the Internet connected to one AP
Issue is when they ROAM, they can roam get same IP Address but they cannot connect to the Internet. They can only access the Internet if they dis-associate from SSID and re-associate.
What I noticed on the Syslogs is SYN Timeout, TCP denied... Not sure what is going on
Feb 20 2013 11:52:51 : %ASA-6-302014: Teardown TCP connection 33015359 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/33724 duration 0:00:30 bytes 0 SYN Timeout
Feb 20 2013 11:52:51 : %ASA-6-302014: Teardown TCP connection 33015358 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/41186 duration 0:00:30 bytes 0 SYN Timeout
Feb 20 2013 11:52:51 : %ASA-6-302014: Teardown TCP connection 33015347 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/38518 duration 0:00:30 bytes 0 SYN Timeout
Feb 20 2013 11:52:49 : %ASA-6-302013: Built outbound TCP connection 33016459 for outside:212.58.244.70/80 (212.58.244.70/80) to wireless_guest:CLIENT ADD/33738 (PAT ADD/33738)
Feb 20 2013 11:52:48 : %ASA-4-106100: access-list INBOUND denied tcp outside/212.58.244.70(80) -> wireless_guest/CLIENT ADD(49128) hit-cnt 1 first hit [0x6be0682a, 0x0]
Feb 20 2013 11:52:46 : %ASA-6-302014: Teardown TCP connection 33015092 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/49128 duration 0:00:30 bytes 0 SYN Timeout
Feb 20 2013 11:52:44 : %ASA-6-302013: Built outbound TCP connection 33016219 for outside:212.58.244.70/80 (212.58.244.70/80) to wireless_guest:CLIENT ADD/46359 (PAT ADD/46359)
Feb 20 2013 11:52:43 : %ASA-4-106100: access-list INBOUND denied tcp outside/212.58.244.70(80) -> wireless_guest/CLIENT ADD(42606) hit-cnt 1 first hit [0x6be0682a, 0x0]
Feb 20 2013 11:52:41 : %ASA-6-302014: Teardown TCP connection 33014893 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/42606 duration 0:00:30 bytes 0 SYN Timeout
Feb 20 2013 11:52:39 : %ASA-6-302013: Built outbound TCP connection 33016037 for outside:212.58.244.70/80 (212.58.244.70/80) to wireless_guest:CLIENT ADD/46379 (PAT ADD/46379)Feb 20 2013 11:52:51 : %ASA-6-302014: Teardown TCP connection 33015359 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/33724 duration 0:00:30 bytes 0 SYN Timeout
Feb 20 2013 11:52:51 : %ASA-6-302014: Teardown TCP connection 33015358 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/41186 duration 0:00:30 bytes 0 SYN Timeout
Feb 20 2013 11:52:51 : %ASA-6-302014: Teardown TCP connection 33015347 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/38518 duration 0:00:30 bytes 0 SYN Timeout
Feb 20 2013 11:52:49 : %ASA-6-302013: Built outbound TCP connection 33016459 for outside:212.58.244.70/80 (212.58.244.70/80) to wireless_guest:CLIENT ADD/33738 (PAT ADD/33738)
Feb 20 2013 11:52:48 : %ASA-4-106100: access-list INBOUND denied tcp outside/212.58.244.70(80) -> wireless_guest/CLIENT ADD(49128) hit-cnt 1 first hit [0x6be0682a, 0x0]
Feb 20 2013 11:52:46 : %ASA-6-302014: Teardown TCP connection 33015092 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/49128 duration 0:00:30 bytes 0 SYN Timeout
Feb 20 2013 11:52:44 : %ASA-6-302013: Built outbound TCP connection 33016219 for outside:212.58.244.70/80 (212.58.244.70/80) to wireless_guest:CLIENT ADD/46359 (PAT ADD/46359)
Feb 20 2013 11:52:43 : %ASA-4-106100: access-list INBOUND denied tcp outside/212.58.244.70(80) -> wireless_guest/CLIENT ADD(42606) hit-cnt 1 first hit [0x6be0682a, 0x0]
Feb 20 2013 11:52:41 : %ASA-6-302014: Teardown TCP connection 33014893 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/42606 duration 0:00:30 bytes 0 SYN Timeout
Feb 20 2013 11:52:39 : %ASA-6-302013: Built outbound TCP connection 33016037 for outside:212.58.244.70/80 (212.58.244.70/80) to wireless_guest:CLIENT ADD/46379 (PAT ADD/46379)
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2013 08:37 PM
Hello Sr,
Really weird issue,
Is there a way we could create captures on the outside interface when the issue happens?
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml
Then we will get to the solution or at least close enough
Regards
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
