internet problem with PAT

JDMJeffy84 · ‎02-20-2013

Hi guys,

Got a strange problem I'm seeing on Cisco ASA firewalls.

Scenario: Clients can access the Internet via PAT on ASA.

Clients are on Wireless, they can happily surf the Internet connected to one AP

Issue is when they ROAM, they can roam get same IP Address but they cannot connect to the Internet. They can only access the Internet if they dis-associate from SSID and re-associate.

What I noticed on the Syslogs is SYN Timeout, TCP denied... Not sure what is going on

Feb 20 2013 11:52:51 : %ASA-6-302014: Teardown TCP connection 33015359 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/33724 duration 0:00:30 bytes 0 SYN Timeout

Feb 20 2013 11:52:51 : %ASA-6-302014: Teardown TCP connection 33015358 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/41186 duration 0:00:30 bytes 0 SYN Timeout

Feb 20 2013 11:52:51 : %ASA-6-302014: Teardown TCP connection 33015347 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/38518 duration 0:00:30 bytes 0 SYN Timeout

Feb 20 2013 11:52:49 : %ASA-6-302013: Built outbound TCP connection 33016459 for outside:212.58.244.70/80 (212.58.244.70/80) to wireless_guest:CLIENT ADD/33738 (PAT ADD/33738)

Feb 20 2013 11:52:48 : %ASA-4-106100: access-list INBOUND denied tcp outside/212.58.244.70(80) -> wireless_guest/CLIENT ADD(49128) hit-cnt 1 first hit [0x6be0682a, 0x0]

Feb 20 2013 11:52:46 : %ASA-6-302014: Teardown TCP connection 33015092 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/49128 duration 0:00:30 bytes 0 SYN Timeout

Feb 20 2013 11:52:44 : %ASA-6-302013: Built outbound TCP connection 33016219 for outside:212.58.244.70/80 (212.58.244.70/80) to wireless_guest:CLIENT ADD/46359 (PAT ADD/46359)

Feb 20 2013 11:52:43 : %ASA-4-106100: access-list INBOUND denied tcp outside/212.58.244.70(80) -> wireless_guest/CLIENT ADD(42606) hit-cnt 1 first hit [0x6be0682a, 0x0]

Feb 20 2013 11:52:41 : %ASA-6-302014: Teardown TCP connection 33014893 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/42606 duration 0:00:30 bytes 0 SYN Timeout

Feb 20 2013 11:52:39 : %ASA-6-302013: Built outbound TCP connection 33016037 for outside:212.58.244.70/80 (212.58.244.70/80) to wireless_guest:CLIENT ADD/46379 (PAT ADD/46379)Feb 20 2013 11:52:51 : %ASA-6-302014: Teardown TCP connection 33015359 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/33724 duration 0:00:30 bytes 0 SYN Timeout
Feb 20 2013 11:52:51 : %ASA-6-302014: Teardown TCP connection 33015358 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/41186 duration 0:00:30 bytes 0 SYN Timeout
Feb 20 2013 11:52:51 : %ASA-6-302014: Teardown TCP connection 33015347 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/38518 duration 0:00:30 bytes 0 SYN Timeout
Feb 20 2013 11:52:49 : %ASA-6-302013: Built outbound TCP connection 33016459 for outside:212.58.244.70/80 (212.58.244.70/80) to wireless_guest:CLIENT ADD/33738 (PAT ADD/33738)
Feb 20 2013 11:52:48 : %ASA-4-106100: access-list INBOUND denied tcp outside/212.58.244.70(80) -> wireless_guest/CLIENT ADD(49128) hit-cnt 1 first hit [0x6be0682a, 0x0]
Feb 20 2013 11:52:46 : %ASA-6-302014: Teardown TCP connection 33015092 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/49128 duration 0:00:30 bytes 0 SYN Timeout
Feb 20 2013 11:52:44 : %ASA-6-302013: Built outbound TCP connection 33016219 for outside:212.58.244.70/80 (212.58.244.70/80) to wireless_guest:CLIENT ADD/46359 (PAT ADD/46359)
Feb 20 2013 11:52:43 : %ASA-4-106100: access-list INBOUND denied tcp outside/212.58.244.70(80) -> wireless_guest/CLIENT ADD(42606) hit-cnt 1 first hit [0x6be0682a, 0x0]
Feb 20 2013 11:52:41 : %ASA-6-302014: Teardown TCP connection 33014893 for outside:212.58.244.70/80 to wireless_guest:CLIENT ADD/42606 duration 0:00:30 bytes 0 SYN Timeout
Feb 20 2013 11:52:39 : %ASA-6-302013: Built outbound TCP connection 33016037 for outside:212.58.244.70/80 (212.58.244.70/80) to wireless_guest:CLIENT ADD/46379 (PAT ADD/46379)

Maykol Rojas · ‎02-25-2013

Hi,

Can you let me know what is this?

CLIENT ADD

Is there any other gateway to the internet?

Mike