Microsoft TMG Behind Cisco ASA

zakid · ‎07-07-2013

We have an web publishing services running through TMG and ofcourse its through cisco firewall. 25 to 30 www services published sofar no issue. recently i have noticed and occured some weared things. meaning, I can see traffic from my ISP to MY perimeter router and even in my firewall for that published web site, but connection not essablished successfully. when I enquired TMG team, even they did not see any traffic to that. Traffic is reaching up to firewall. so what could be the problem. aftersome time it established successfully, without any human intervension.

Note: I have double check routing and recreated the ACL rules and nat for that particular site.

if some one can put me in right direction is much appricated.

thanks & regards,

Julio Carvajal · ‎07-07-2013

Hello Zakid,

For this kind of scenarios where nothing makes sense the best way to troubleshoot it is via captures (as someone said: Captures don't lie) so we can determine where is the traffic being denied or getting stuck.

Do a capture on the ingress and egress interface of the ASA to make sure it's not getting denied there.

Also the logs when you try to connect will be really helpful,

Regards

Julio

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

zakid · ‎07-08-2013

thanks for prompt reply,

please find the capture log, real IPs replaced with X for security reason.

TCP outside X.X.X.X:43074 dmz1 X.X.X.X:443, idle 0:00:00, bytes 0, flags SaAB

TCP outside X.X.X.X:54833 dmz1 X.X.X.X:443, idle 0:00:02, bytes 0, flags SaAB

TCP outside X.X.X.X:50612 dmz1 X.X.X.X:443, idle 0:00:06, bytes 0, flags SaAB

TCP outside X.X.X.X:50611 dmz1 X.X.X.X:443, idle 0:00:06, bytes 0, flags SaAB

TCP outside X.X.X.X:50613 dmz1 X.X.X.X:443, idle 0:00:06, bytes 0, flags SaAB

TCP outside X.X.X.X:44097 dmz1 X.X.X.X:443, idle 0:00:01, bytes 0, flags SaAB

TCP outside X.X.X.X:27200 dmz1 X.X.X.X:443, idle 0:00:02, bytes 0, flags SaAB

any finding please....

Jouni Forss · ‎07-08-2013

Hi,

ASA has seen the initial TCP SYN from the host on the "outside"

But thats it.

The target host/server is no replying to that TCP SYN with TCP SYN ACK so the connections timeout.

- Jouni

Julio Carvajal · ‎07-08-2013

Hello Zakid,

Okey, those are the logs you have but are you sure those are the only ones related to the connection,

Do the following

cap capout interface outside match tcp host X.X.X.X (outside client) host y.y.y.y (public IP server) eq 443

cap capin interface inside match tcp host x.x.x.x (outside client) host y.y.y.y (private IP server) eq 443

cap asp type-asp drop all circular-buffer

Then try to connect once....

Afterwards share:

show cap capin

show cap capout

show cap asp | include x.x.x.x (outside client)

Regards

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

vikasgupta2k · ‎11-17-2013

Zakid,

Did you find the solution for this issue. I am running into the same issue.

Thanks,

Vikas

Julio Carvajal · ‎11-17-2013

Proceed with captures as requested on my last post

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC