Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1221
Views
0
Helpful
6
Replies

Return traffic not coming from Server

Go to solution
mahesh18
Level 6
Level 6

‎05-15-2013 05:10 PM - edited ‎03-11-2019 06:44 PM

Hi All,

We have issue here with ASA  connecting to server at other site over wan link.

ASA  has 2 interfaces inside and outside.

We have config ACL  on inside interface to allow  access to server on port 28888 and return traffic from server comes on port 1140.

On ASA i can see the hit counts while user access the server on port 28888.

But from return traffic there are no hit counts.

Here is log from ASA













Deny tcp src inside:192.168.40.9/61949 dst outside:192.168.80.20/32817 by access-group "inside_access_in" [0x0, 0x0]

Teardown TCP connection 97168222 for inside:192.168.40.9/61948 to outside:192.168.80.20/28888 duration 0:00:00 bytes 188 TCP Reset-O

Built inbound TCP connection 97168222 for inside:192.168.40.9/61948 (192.168.40.9/61948) to outside:192.168.80.20/28888 (192.168.80.20/28

Here we see that ASA  establish connection to outside  interface destination IP 192.168.8.20 on port 28888  (Server).

Then connection is teadown .Is the breaking from direction from inside to outside as per log of teardown?

Also need to  know on  what port traffic is coming from the server to ASA ?

Thanks

MAhesh

Message was edited by: mahesh parmar

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

‎05-18-2013 08:58 AM

Hello Mahesh,

when i see Deny tcp src inside:192.168.40.9/61949 dst outside:192.168.80.20/32817

does this mean that return traffic from server is coming on port 32817 on outside interfac

Means that the access-list on the inside is not permiting traffic to port 32817,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

‎05-18-2013 09:01 AM

Hello,

The logs are not showing any inbound connection, both of them make reference to connections innitiated from the client side.

93  Built inbound TCP connection 97880534 for inside:192.168.40.9/49385 (192.168.40.9/49385) to outside:192.168.80.20/28888 (192.168.80.20/28888)

95  Built inbound TCP connection 97880636 for inside:192.168.40.9/49386 (192.168.40.9/49386) to outside:192.168.80.20/1140 (192.168.80.20/1140)

In order to be from the server to the client the connection would be established from out to in,

This line means that the connection was closed after 7 minutes and 28 seconds because of a RESET packet that the server originated.

96 Teardown TCP connection 97880636 for inside:192.168.40.9/49386 to outside:192.168.80.20/1140 duration 0:07:28 bytes 163367 TCP Reset-O

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎05-16-2013 09:58 AM

Hello Mahesh,

You do not need an ACL on the outside for the returning traffic as the stateful table will make it happen for you.

Now the drop seems to be done due to a reset comming on the outside interface so you might need to work captures to determine who is sending the reset.

Teardown TCP connection 97168222 for inside:192.168.40.9/61948 to outside:192.168.80.20/28888 duration 0:00:00 bytes 188 TCP Reset-O

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Julio Carvajal

‎05-16-2013 11:00 AM

Hi Julio,

I know it will remember the return traffic.

But here in this case then return traffic has to come back on that specfic port.

Also i see bytes count  to 188 so this shows that some data is being sent.

when i see Deny tcp src inside:192.168.40.9/61949 dst outside:192.168.80.20/32817

does this mean that return traffic from server is coming on port 32817 on outside interface?

Thanks

Mahesh

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to mahesh18

‎05-17-2013 11:23 PM

Hi Julio,

Here are the logs as connection is working now.

Issue was with server end.

Working logs

93  Built inbound TCP connection 97880534 for inside:192.168.40.9/49385 (192.168.40.9/49385) to outside:192.168.80.20/28888 (192.168.80.20/28888)

94  Teardown TCP connection 97880534 for inside:192.168.40.9/49385 to outside:192.168.80.20/28888 duration 0:00:00 bytes 188 TCP Reset-O

95  Built inbound TCP connection 97880636 for inside:192.168.40.9/49386 (192.168.40.9/49386) to outside:192.168.80.20/1140 (192.168.80.20/1140)

96 Teardown TCP connection 97880636 for inside:192.168.40.9/49386 to outside:192.168.80.20/1140 duration 0:07:28 bytes 163367 TCP Reset-O

Need to understand the logs above from you?

Note --  Port 28888 is connection from ASA   to server

            Port 1140 is return traffic coming from server to ASA.

When it was not working there was no traffic coming on port 1140 from server to ASA.

My undertstanding is that  first two lines show that connection was established to server on port 28888.

To allow return trafffic to come on port 1140 it then teardown the connection on port 28888 and established the new

connection on port 1140.

LAst line shows that once return traffic came bacl on port 1140 then the connection to server was closed from PC behind the inside interface?

Thanks

MAhesh

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

‎05-18-2013 09:01 AM

Hello,

The logs are not showing any inbound connection, both of them make reference to connections innitiated from the client side.

93  Built inbound TCP connection 97880534 for inside:192.168.40.9/49385 (192.168.40.9/49385) to outside:192.168.80.20/28888 (192.168.80.20/28888)

95  Built inbound TCP connection 97880636 for inside:192.168.40.9/49386 (192.168.40.9/49386) to outside:192.168.80.20/1140 (192.168.80.20/1140)

In order to be from the server to the client the connection would be established from out to in,

This line means that the connection was closed after 7 minutes and 28 seconds because of a RESET packet that the server originated.

96 Teardown TCP connection 97880636 for inside:192.168.40.9/49386 to outside:192.168.80.20/1140 duration 0:07:28 bytes 163367 TCP Reset-O

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

‎05-18-2013 08:58 AM

Hello Mahesh,

when i see Deny tcp src inside:192.168.40.9/61949 dst outside:192.168.80.20/32817

does this mean that return traffic from server is coming on port 32817 on outside interfac

Means that the access-list on the inside is not permiting traffic to port 32817,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Julio Carvajal

‎05-19-2013 06:45 PM

Hi Julio,

Thanks again.

MAhesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card