cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Microsoft TMG Behind Cisco ASA

zakid
Beginner
Beginner

We have an web publishing services running through TMG and ofcourse its through cisco firewall. 25 to 30 www services published sofar no issue. recently i have noticed and occured some weared things. meaning, I can see traffic from my ISP to MY perimeter router and even in my firewall for that published web site, but connection not essablished successfully. when I enquired TMG team, even they did not see any traffic to that. Traffic is reaching up to firewall. so what could be the problem. aftersome time it established successfully, without any human intervension.

Note: I have double check routing and recreated the ACL rules and nat for that particular site.

if some one can put me in right direction is much appricated.

thanks & regards,

6 REPLIES 6

Julio Carvajal
Advisor
Advisor

Hello Zakid,

For this kind of scenarios where nothing makes sense the best way to troubleshoot it is via captures (as someone said: Captures don't lie) so we can determine where is the traffic being denied or getting stuck.

Do a capture on the ingress and egress interface of the ASA to make sure it's not getting denied there.

Also the logs when you try to connect will be really helpful,

Regards

Julio

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

thanks for prompt reply,

please find the capture log, real IPs replaced with X for security reason.

TCP outside X.X.X.X:43074 dmz1 X.X.X.X:443, idle 0:00:00, bytes 0, flags SaAB

TCP outside X.X.X.X:54833 dmz1 X.X.X.X:443, idle 0:00:02, bytes 0, flags SaAB

TCP outside X.X.X.X:50612 dmz1 X.X.X.X:443, idle 0:00:06, bytes 0, flags SaAB

TCP outside X.X.X.X:50611 dmz1 X.X.X.X:443, idle 0:00:06, bytes 0, flags SaAB

TCP outside X.X.X.X:50613 dmz1 X.X.X.X:443, idle 0:00:06, bytes 0, flags SaAB

TCP outside X.X.X.X:44097 dmz1 X.X.X.X:443, idle 0:00:01, bytes 0, flags SaAB

TCP outside X.X.X.X:27200 dmz1 X.X.X.X:443, idle 0:00:02, bytes 0, flags SaAB

any finding please....

Hi,

ASA has seen the initial TCP SYN from the host on the "outside"

But thats it.

The target host/server is no replying to that TCP SYN with TCP SYN ACK so the connections timeout.

- Jouni

Hello Zakid,

Okey, those are the logs you have but are you sure those are the only ones related to the connection,

Do the following

cap capout interface outside match tcp host X.X.X.X (outside client) host y.y.y.y (public IP server) eq 443

cap capin interface inside match tcp host x.x.x.x (outside client) host y.y.y.y (private IP server) eq 443

cap asp type-asp drop all circular-buffer

Then try to connect once....

Afterwards share:

show cap capin

show cap capout

show cap asp | include x.x.x.x (outside client)

Regards

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Zakid,

Did you find the solution for this issue. I am running into the same issue.

Thanks,

Vikas

Proceed with captures as requested on my last post

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: