03-18-2010 04:32 AM - edited 03-11-2019 10:23 AM
I have a strange issue, am connected to the internet and can access any websites except few (does not give page can not be displayed and it does not give anything its just waiting all the time for respond), am sure its not the website problem as i could open the same website from a different location.
so i decided to capture the packet and look whats wrong while accessing those few websites and what i could see is a sucessfull TCP handshake followed by my http request and the problem starts, TCO out of order and TCP retransmission and TCP previous segment lost..
anyone aware of this kind of problem...
03-18-2010 12:50 PM
Hi,
Are you able to do a test, for example allowing everybody out the Firewall with a different IP from the same range? Or you can do it for an specific computer also, to see if the behavior persists?
Also, is the ASA connected to a switch on its outside interface? Can you connect a computer to that switch and assign it a public IP from the same range of the ASA and see if the same problem happens?
I just want to see if the problem is IP-related or ASA-related.
Federico.
03-18-2010 01:57 PM
Federico - did you ever solve your issue? I saw a couple threads that you started similar to my issue.... and this one.
My scenario....
Windows machine, connecting to an HTTPS site with either Firefox or IE. Page is rendered with no problems, but downloads from the site fail at ~0-300Kb.
Download is successful when connected directly to the edge router, bypassing the ASA
Download is successful from other ISP's.
And the weird part - Download is successful on a Max OSX computer running Firefox - behind the asa..
It seems to be a combination of the ASA and Windows.
Wireshark of the two downloads is remarkably similar - both have TCP out of order, Dup Ack... the only real difference is the failed download has a couple WindowFull/ZeroWindow/WindowUpdate combinations.
03-18-2010 02:05 PM
In my case the problem was IP-related.
We connected a computer to the outside switch with an IP of the same range of the ASA, and we continue to have the same problems (bypassing the ASA).
We found out that the public range was being blocked by several entities on the Internet.
Your issue seems different...
If the MAC download works behind the ASA, I don't see any reason why the ASA would be causing the problem.
Is this problem with a particular HTTPS site only?
Can you post the captures?
Federico.
03-18-2010 02:18 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide