Receiving SYN Timeout on certain secure websites

deyster94 · ‎04-14-2014

A client I do work for reached out to me today with an odd issue. There are a handful of secure websites they cannot reach from one location. I checked the ASA logs and 30 seconds after the initial packet, the ASA receives a SYN timeout packet. The ACK packet doesn't show up late, so that isn't the issue. I ran a packet capture between my laptop and one of the websites and this is the result:

42 packets captured

1: 15:36:43.390131 10.100.32.78.59382 > 67.215.65.132.80: S 4041735143:4041735143(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
2: 15:36:43.390375 10.100.32.78.59382 > 67.215.65.132.80: S 4041735143:4041735143(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
3: 15:36:43.393763 10.100.32.78.59383 > 67.215.65.132.443: S 2635331600:2635331600(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
4: 15:36:43.394037 10.100.32.78.59383 > 67.215.65.132.443: S 2635331600:2635331600(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
5: 15:36:44.631055 10.100.32.78.59388 > 67.215.65.132.443: S 1503451964:1503451964(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
6: 15:36:44.631360 10.100.32.78.59388 > 67.215.65.132.443: S 1503451964:1503451964(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
7: 15:36:44.797901 10.100.32.78.59391 > 67.215.65.132.443: S 3672205703:3672205703(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
8: 15:36:44.798191 10.100.32.78.59391 > 67.215.65.132.443: S 3672205703:3672205703(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
9: 15:36:46.393335 10.100.32.78.59383 > 67.215.65.132.443: S 2635331600:2635331600(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
10: 15:36:46.393610 10.100.32.78.59382 > 67.215.65.132.80: S 4041735143:4041735143(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
11: 15:36:47.635816 10.100.32.78.59388 > 67.215.65.132.443: S 1503451964:1503451964(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
12: 15:36:47.792927 10.100.32.78.59391 > 67.215.65.132.443: S 3672205703:3672205703(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
13: 15:36:52.390116 10.100.32.78.59383 > 67.215.65.132.443: S 2635331600:2635331600(0) win 8192 <mss 1460,nop,nop,sackOK>
14: 15:36:52.391276 10.100.32.78.59382 > 67.215.65.132.80: S 4041735143:4041735143(0) win 8192 <mss 1460,nop,nop,sackOK>
15: 15:36:53.629987 10.100.32.78.59388 > 67.215.65.132.443: S 1503451964:1503451964(0) win 8192 <mss 1460,nop,nop,sackOK>
16: 15:36:53.790944 10.100.32.78.59391 > 67.215.65.132.443: S 3672205703:3672205703(0) win 8192 <mss 1460,nop,nop,sackOK>
17: 15:37:16.036634 10.100.32.78.59412 > 67.215.65.132.443: S 348290702:348290702(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
18: 15:37:16.036924 10.100.32.78.59412 > 67.215.65.132.443: S 348290702:348290702(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
19: 15:37:16.286606 10.100.32.78.59413 > 67.215.65.132.443: S 3293407450:3293407450(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
20: 15:37:16.286850 10.100.32.78.59413 > 67.215.65.132.443: S 3293407450:3293407450(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
21: 15:37:19.036222 10.100.32.78.59412 > 67.215.65.132.443: S 348290702:348290702(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22: 15:37:19.296783 10.100.32.78.59413 > 67.215.65.132.443: S 3293407450:3293407450(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
23: 15:37:25.035215 10.100.32.78.59412 > 67.215.65.132.443: S 348290702:348290702(0) win 8192 <mss 1460,nop,nop,sackOK>
24: 15:37:25.296066 10.100.32.78.59413 > 67.215.65.132.443: S 3293407450:3293407450(0) win 8192 <mss 1460,nop,nop,sackOK>
25: 15:37:34.983484 10.100.32.78.59414 > 67.215.65.132.443: S 2726171046:2726171046(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
26: 15:37:34.983744 10.100.32.78.59414 > 67.215.65.132.443: S 2726171046:2726171046(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
27: 15:37:37.033750 10.100.32.78.59415 > 67.215.65.132.443: S 2795949824:2795949824(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
28: 15:37:37.034132 10.100.32.78.59415 > 67.215.65.132.443: S 2795949824:2795949824(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
29: 15:37:37.982813 10.100.32.78.59414 > 67.215.65.132.443: S 2726171046:2726171046(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
30: 15:37:40.033811 10.100.32.78.59415 > 67.215.65.132.443: S 2795949824:2795949824(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
31: 15:37:43.982630 10.100.32.78.59414 > 67.215.65.132.443: S 2726171046:2726171046(0) win 8192 <mss 1460,nop,nop,sackOK>
32: 15:37:46.033598 10.100.32.78.59415 > 67.215.65.132.443: S 2795949824:2795949824(0) win 8192 <mss 1460,nop,nop,sackOK>
33: 15:38:25.398676 10.100.32.78.59413 > 67.215.65.132.443: S 3293407450:3293407450(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
34: 15:38:25.399057 10.100.32.78.59413 > 67.215.65.132.443: S 3293407450:3293407450(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
35: 15:38:32.206044 10.100.32.78.59412 > 67.215.65.132.443: S 348290702:348290702(0) win 8192 <mss 1460,nop,nop,sackOK>
36: 15:38:32.206608 10.100.32.78.59412 > 67.215.65.132.443: S 348290702:348290702(0) win 8192 <mss 1460,nop,nop,sackOK>
37: 15:38:32.640530 10.100.32.78.59413 > 67.215.65.132.443: S 3293407450:3293407450(0) win 8192 <mss 1460,nop,nop,sackOK>
38: 15:38:41.944988 10.100.32.78.59414 > 67.215.65.132.443: S 2726171046:2726171046(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
39: 15:38:41.945751 10.100.32.78.59414 > 67.215.65.132.443: S 2726171046:2726171046(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
40: 15:38:44.166754 10.100.32.78.59415 > 67.215.65.132.443: S 2795949824:2795949824(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
41: 15:38:44.167563 10.100.32.78.59415 > 67.215.65.132.443: S 2795949824:2795949824(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
42: 15:38:47.646695 10.100.32.78.59415 > 67.215.65.132.443: S 2795949824:2795949824(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
42 packets shown

As shown above, I don't see any packets coming back from the server. There is only one site this doesn't work for, so I am stumped. Part of me is wondering if there is a nat issue, but if it was that, I would think the entire site would have issues accessing the internet. One other part to note. The ASA is doing a WCCP redirect to an Ironport. I did a policy trace on the Ironport and it says the site is allowed.

TIA for any ideas.

Dan

deyster94 · ‎04-14-2014

Another capture going to a different site that cannot be reached:

1: 16:35:43.221393 10.100.32.78.61633 > 199.48.156.102.443: S 2887732050:2887732050(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
2: 16:35:43.461401 10.100.32.78.61634 > 199.48.156.102.443: S 396969507:396969507(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
3: 16:35:46.220356 10.100.32.78.61633 > 199.48.156.102.443: S 2887732050:2887732050(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
4: 16:35:46.460318 10.100.32.78.61634 > 199.48.156.102.443: S 396969507:396969507(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
5: 16:35:52.220478 10.100.32.78.61633 > 199.48.156.102.443: S 2887732050:2887732050(0) win 8192 <mss 1460,nop,nop,sackOK>
6: 16:35:52.460074 10.100.32.78.61634 > 199.48.156.102.443: S 396969507:396969507(0) win 8192 <mss 1460,nop,nop,sackOK>

I did set up the ASA to not send requests to the Ironport for two of the sites. The captures I have posted are from those two sites.