Solved: Reset of connection

pslavkovsky · ‎07-16-2013

Hi

I captured attempt (telnet 10.197.10.19 8888) from 10.123.14.24 of connection on outside interface of ASA

2 packets captured

1: 13:35:59.051358 10.123.14.24.37199 > 10.197.10.19.8888: S 920768158:920768158(0) win 49640 <mss 1380,nop,wscale 0,nop,nop,sackOK>
2: 13:35:59.051999 10.197.10.19.8888 > 10.123.14.24.37199: R 0:0(0) ack 920768159 win 0
2 packets shown

What does it mean R 0:0(0) in second packet ?

Who reset a connection? This ASA or destination (10.197.10.19) which is on next hope?

Thanks

Peter

Jouni Forss · ‎07-17-2013

Hi,

So as you can see, the ASA has initially seen a TCP SYN from "inside" to "dci". This is true simply because the ASA is now removing a connection from its connection table as indicated by the Teardown message.

However, the connections has been terminared by the host behind the "dci" interface by sending a TCP Reset.

This is indicated by the TCP Reset-O.

So the TCP Reset came from behind the interface which has the LOWEST "security-level" value

- Jouni

View solution in original post

Jouni Forss · ‎07-16-2013

Hi,

Is the destination IP address a Static NAT IP address or is it simply the interface IP address of the ASA wihtout any Static PAT (Port Forward) configurations?

If you captured the packets on the "outside" interface then I guess it could mean either that the NATed host sent a TCP Reset to the connection attempt or the ASA sent the TCP Reset if the connection attempt was simply aimed at the ASA.

The logs might also tell this if you monitor them during the connection attempt. The "Teardown" message should either say Reset-I or Reset-O which would basically tell you from which side of the ASA the TCP Reset came from. Reset-I means the interface related to the connection which has the higher "security-level" and the Reset-O means the interface related to connection which has the lower "security-level".

By default the ASA itself wont send a TCP Reset to a connection towards its interface IP address. It can be configured to act otherwise.

Hope this helps

- Jouni

pslavkovsky · ‎07-16-2013

Hi Jouni

thank you

Destination address is a IOS SLB virtual IP address on network on outside of ASA.

Log does not contain message "Teardown..."

Probably because connection is not created, there is a RESET respond to SYN packet

Peter

Jouni Forss · ‎07-16-2013

Hi,

So do I understand correctly that you are initiating a connection from behind the ASA on some LAN network towards some host behind the ASA "outside" interface and this capture has been taken on the "outside" interface?

If that is the case then it would seem the remote end resets the connection.

Even if the remote host sends a TCP Reset right after it has received the TCP SYN message, the ASA will still build a connection for it and it will also teardown that connection right away.

Easiest way to monitor this is through ASDM or a separate Syslog server is you are logging into one.

Also you will naturally have to make sure that you are logging at level "informational" and that you have not disabled any log message IDs on the ASA. You should be able to see the connection forming and being torn down. The duration for the connection will probably be 0 seconds.

- Jouni

pslavkovsky · ‎07-16-2013

Yes, you understand correctly.

I will check level of logging.

Peter

pslavkovsky · ‎07-17-2013

I check level logging, I fixed it, now is OK, there is a lot of diferent Build.. and Teardown.. messages in syslog

so I did attempt

But I see only Bulit... message, no Teradown of my attempt. And after attempt I immediatlly checked show connection on ASA and there was not my attempt

Peter

Jouni Forss · ‎07-17-2013

Hi,

There should be a Teardown message for every connection built. Other thing is ofcourse if the log message ever arrives on the Syslog server. It might be good to go to ASDM and filter logs according to the source IP address of the connection and then attempt the connection. If the connection is reset then you should see a log message of it pretty fast.

You probably wont see anything with the "show conn" command

Do notice the timestamps in the capture you mention in your post. The connection is reset in UNDER 1 millisecond after the ASA saw the TCP SYN. So the connection has been in the ASA connection table for a very very very short time.

Something you probably wouldnt see in anywhere else than the logs or the capture.

- Jouni

pslavkovsky · ‎07-17-2013

I turned off logging Build message and now I see Teardown of my attempt

It looks that there was a lot of messages and not all was send form ASA. maybe.

So now I see

Teardown TCP connection 687760866 for dci:10.197.10.19/8888 to inside:10.123.14.24/52692 duration 0:00:00 bytes 0 TCP Reset-O

Jouni Forss · ‎07-17-2013

Hi,

So as you can see, the ASA has initially seen a TCP SYN from "inside" to "dci". This is true simply because the ASA is now removing a connection from its connection table as indicated by the Teardown message.

However, the connections has been terminared by the host behind the "dci" interface by sending a TCP Reset.

This is indicated by the TCP Reset-O.

So the TCP Reset came from behind the interface which has the LOWEST "security-level" value

- Jouni

pslavkovsky · ‎07-17-2013

thank you very much

Peter