Re: TCP packet with SYN flag sets and windows size equal to zero

Andrea Fabbri · ‎09-14-2007

Hi,

I am running software version 7.2(2) on an ASA5510.

I have configured the appliance in transparent mode to filter traffic from the wireless lan ( connected to the outside )

to the wired lan ( connected to the inside ). In this first test phase I configured my ASA5510 to permit all the ip

traffic between wireless lan and wired lan :

access-list IN extended permit ip any any

access-list OUT extended permit ip any any

access-group OUT in interface outside

access-group IN in interface inside

My wireless terminals use a private protocol, called 9010t, to communicate with the application server. This protocol

opens a TCP session to the application server using a packet with the SYN flag sets and the Window size equal to zero.

This first TCP packet is discarded by the ASA5510, in my opinion because the ASA5510 recognises it as a malformed packet,

and wireless terminals can't connect to the application server.

Is it possible to manage the ASA5510 to permit this first TCP packet to cross the ASA5510 itself, granting wireless

terminals to connect to the application server ?

Thanks in advance for your help.

Andrea

a.alekseev · ‎09-14-2007

Which tcp port numbers do your private protocol, called 9010t, use?

Andrea Fabbri · ‎09-16-2007

Hi,

the application server of the 9010t protocol ( created by Teklogix ) is listening on the 9999 tcp port.

Thank you for your help !

a.alekseev · ‎09-17-2007

Try to indentify the root cause of your problem.

Do you have any messages on the asa/pix?

Try enable logging.

# for telnet/ssh

conf t

logg on

logg mon 7

term mon

# for console

conf t

logg on

logg con 7

Do you have "nat-contol" or "no nat-control"?

Andrea Fabbri · ‎09-18-2007

Hi,

during test phase I enabled both logging and packet capture. In particular the capture shows :

ASA-SMICHELE# sh capture

capture ASP-DROP type asp-drop all [Capturing - 190100 bytes]

capture ACL-OUT type raw-data access-list TEST interface outside [Capturing - 4048 bytes]

capture ACL-IN type raw-data access-list TEST interface inside [Capturing - 583 bytes]

ASA-SMICHELE#

ASA-SMICHELE# sh capture ACL-IN

4 packets captured

1: 06:25:19.211933 172.16.58.15.137 > 172.16.255.255.137: udp 50

2: 06:25:19.962016 172.16.58.15.137 > 172.16.255.255.137: udp 50

3: 06:25:20.712029 172.16.58.15.137 > 172.16.255.255.137: udp 50

4: 06:31:38.388575 172.16.58.15.138 > 172.16.255.255.138: udp 201

4 packets shown

ASA-SMICHELE#

ASA-SMICHELE# sh capture ACL-OUT

49 packets captured

1: 06:23:32.410928 172.16.58.80.3083 > 172.16.58.15.9999: P 160698610:160698617(7) ack 806354767

win 4096

2: 06:23:39.080135 172.16.58.80.3083 > 172.16.58.15.9999: P 160698610:160698617(7) ack 806354767

win 4096

3: 06:23:49.760580 172.16.58.80.3083 > 172.16.58.15.9999: P 160698610:160698617(7) ack 806354767

win 4096

4: 06:24:01.766241 172.16.58.80.3083 > 172.16.58.15.9999: P 160698610:160698617(7) ack 806354767

win 4096

5: 06:24:07.829531 172.16.58.80.3083 > 172.16.58.15.9999: P 160698610:160698617(7) ack 806354767

win 4096

6: 06:25:19.212055 172.16.58.15.137 > 172.16.255.255.137: udp 50

7: 06:25:19.962032 172.16.58.15.137 > 172.16.255.255.137: udp 50

8: 06:25:20.712045 172.16.58.15.137 > 172.16.255.255.137: udp 50

9: 06:27:16.093501 172.16.58.80.3083 > 172.16.58.15.9999: P 160698610:160698617(7) ack 806354767

win 4096

10: 06:27:21.658886 172.16.58.80.3083 > 172.16.58.15.9999: P 160698610:160698617(7) ack 806354767

win 4096

.............

where 172.16.58.80 is the IP address of one of the wireless terminals and 172.16.58.15 is the application server IP address.

As you can see from the output of the capture there's no evidence of the first TCP packet with SYN flag sets

from the wireless terminal to the application server. Anyway I'm sure that this TCP packet starts from the

wireless terminal to the application server because I can see it through a Wireshark session on my PC

( plugged in an HUB device on the ethernet segment of the wireless LAN ).

The only tcp packets the capture shows me are the attempts the wireless client makes to download the server

pages ( packets 172.16.58.80.xxxx > 172.16.58.15.9999 with ack sets ).

Thank you

a.alekseev · ‎09-18-2007

andreafbr,

Could you answer to my questions?

also

What do you have in connection table?

" sh conn protocol tcp long"

Andrea Fabbri · ‎09-19-2007

a.alekseev,

I'm sorry but I can't do a new test until next Monday. I planned this new test next Monday morning.

Do you want to ask me something else to test ?

Thank you very much !

Andrea

Andrea Fabbri · ‎10-05-2007

Hi,

I'm sorry if I answer you just now to your e-mail. The ASA5510 is working with version 7.2(2) in transparent mode

and nat-control is not supported. I enabled :

logging on

logging console 7

logging monitor 7

and this is the logging output :

%ASA-6-302016: Teardown UDP connection 167 for outside:172.16.255.255/138 to i

nside:172.16.59.80/138 duration 0:02:01 bytes 201

%ASA-7-609002: Teardown local-host inside:172.16.59.80 duration 0:02:01

%ASA-7-609001: Built local-host outside:172.16.58.80

%ASA-7-609001: Built local-host inside:172.16.58.15

%ASA-6-106015: Deny TCP (no connection) from 172.16.58.80/1541 to 172.16.58.15/9999 flags PSH ACK o

n interface outside

%ASA-7-609002: Teardown local-host outside:172.16.58.80 duration 0:00:00

%ASA-7-609002: Teardown local-host inside:172.16.58.15 duration 0:00:00

%ASA-7-609001: Built local-host inside:172.16.61.111

%ASA-6-302015: Built outbound UDP connection 189 for outside:172.16.255.255/138 (172.16.255.255/138)

to inside:172.16.61.111/138 (172.16.61.111/138)

%ASA-7-609001: Built local-host inside:172.16.57.30

%ASA-6-302015: Built outbound UDP connection 190 for outside:172.16.255.255/137 (172.16.255.255/137)

to inside:172.16.57.30/137 (172.16.57.30/137)

%ASA-6-302016: Teardown UDP connection 169 for outside:172.16.255.255/138 to inside:172.16.59.119/13

8 duration 0:02:01 bytes 217

%ASA-7-609002: Teardown local-host inside:172.16.59.119 duration 0:03:40

%ASA-7-609001: Built local-host outside:172.16.58.80

%ASA-7-609001: Built local-host inside:172.16.58.15

%ASA-6-106015: Deny TCP (no connection) from 172.16.58.80/1541 to 172.16.58.15/9999 flags PSH ACK o

n interface outside

%ASA-7-609002: Teardown local-host outside:172.16.58.80 duration 0:00:00

%ASA-7-609002: Teardown local-host inside:172.16.58.15 duration 0:00:00

%ASA-6-302016: Teardown UDP connection 171 for outside:172.16.255.255/138 to inside:172.16.63.11/138

duration 0:02:01 bytes 201

%ASA-7-609002: Teardown local-host inside:172.16.63.11 duration 0:02:01

%ASA-7-609001: Built local-host outside:172.16.58.80

%ASA-7-609001: Built local-host inside:172.16.58.15

%ASA-6-106015: Deny TCP (no connection) from 172.16.58.80/1541 to 172.16.58.15/9999 flags PSH ACK o

n interface outside

%ASA-7-609002: Teardown local-host outside:172.16.58.80 duration 0:00:00

%ASA-7-609002: Teardown local-host inside:172.16.58.15 duration 0:00:00

As you can see there's no evidence of a packet from 172.16.58.80/1541 to 172.16.58.15/9999 with the

SYN flag sets.

I also do the "sh conn protocol tcp long" command :

# sh conn protocol tcp long

17 in use, 28 most used

Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,

.........

X - inspected by service module

and I see no connections active.

So I decided to change interfaces roles : inside interface linked to the wireles lan and outside interface linked to the

wired lan. This change seems to SOLVE my problem because now wireless terminals can connect to the apllication server and

the "sh conn protocol tcp long" command presents :

#sh conn all long

26 in use, 26 most used

Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,

........

X - inspected by service module

TCP outside:172.16.58.15/9999 (172.16.58.15/9999) inside:172.16.58.80/1284 (172.16.58.80/1284) flags

UIO idle 0:00:00 bytes 1029

.....

Thank you for your help !!

Bye

Andrea