Problem in OBJECT GROUP is asa 5520

prashantrecon · ‎10-16-2011

Hi All,

I have created a object group and a access list as given below.

object-group network MOBILE_IN

access-list MOBILE extended permit ip object-group MOBILE_IN any

static (inside,outside) x.x.x.x access-list MOBILE

Now my problem is that

By this configuration every website working fine except YOUTUBE.

When i open youtube it take much time to open and when i tried to play and video it not played.

other sites video like msn video ,rediff video working fine.

can any one give a clue why its happen.

Regards,

Prashant

prashantrecon · ‎10-16-2011

Hi All,

When i check log

its say that

6 Oct 17 2011 09:52:49 302014 74.125.232.193 80 172.16.6.131 1892 Teardown TCP connection 16226049 for outside:74.125.232.193/80 to inside:172.16.6.131/1892 duration 0:04:00 bytes 0 TCP Reset-I

Julio Carvajal · ‎10-16-2011

Hello Kumar,

As we can see here the TCP connection is being closed, this because a reset and these reset is comming from the inside,so this means the inside user is sending a reset message and the connection is being dropped.

You will need to take a look at the inside PC , I am quite sure that if you take some captures you are going to see the internal host sending this message, so the ASA is not the one dropping the connection.

Hope you have a great day.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

varrao · ‎10-16-2011

Hi Prashant,

The log doesn't seem the right one to me:

6 Oct 17 2011 09:52:49 302014 74.125.232.193 80 172.16.6.131 1892 Teardown TCP connection 16226049 for outside:74.125.232.193/80 to inside:172.16.6.131/1892 duration 0:04:00 bytes 0 TCP Reset-I

The ip 74.125.232.193 is for google not youtube.

To troubleshoot this issue, take the correct logs and take captures when you access youtube.

In the logs chcek the reason for teardown and in the captures check if there is any delay from the ASA. Wjat time the packet takes to once it enters to the inside interface to the time it leaves the outside interface.

This should be your troubleshooting steps.

For captures:

https://supportforums.cisco.com/docs/DOC-17814

Thanks,

Varun

Thanks,
Varun Rao

prashantrecon · ‎10-17-2011

Hi Varun,

when i did nslookup from my machine it's display as

C:\Documents and Settings\Administrator>nslookup youtube.com

Server: vnsc-bak.sys.gtei.net

Address: 4.2.2.2

Non-authoritative answer:

Name: youtube.com

Addresses: 74.125.232.192, 74.125.232.193, 74.125.232.194, 74.125.232.195

74.125.232.196, 74.125.232.197, 74.125.232.198, 74.125.232.199, 7

.232.200

74.125.232.201, 74.125.232.202, 74.125.232.203, 74.125.232.204, 7

.232.205

74.125.232.206, 74.125.232.207

prashantrecon · ‎10-16-2011

can you tell me possible reason ? why my pc is sending reset request ?

When i use my pc to use proxy server then youtube working fine.

Julio Carvajal · ‎10-17-2011

Hello Kumar,

At this moment we can see that the ASA is not the one dropping the connections as the Internal reset, now is is hard to figure out why a PC is sending a reset message but one reason a device will send a RST is in response to receiving a packet for a closed socket, but to define why this is happening is really hard because every possible perversion has been visited on TCP since its inception.

I would recommend to use a packet sniffer ( Wireshark ) on the PC and confirm that the PC is the one sending the reset message when you make the connection.

Please take some captures and let us know the result.

Hope you have a great day.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

prashantrecon · ‎10-17-2011

Hi,

plz find attachment with name

youtube wireshark capture

please use filter for my machine ip 172.16.6.131 .

Regards,

Prashant