Solved: TCP reset by appliance

mahesh18 · ‎07-26-2013

Hi Everyone,

i am trying https conenction between serevr and ASA.

%ASA-6-302014: Teardown TCP connection 977425972 for inside :192.168.50.220/52438 to identity:192.168.51.1/443 duration 0:00:00 bytes 0 TCP Reset by appliance

%ASA-6-302013: Built inbound TCP connection 977425972 for inside :192.168.50.220/52438 (192.168.50.220/52438) to identity:192.168.51.1/443 (192.168.51.1/443).

These are logs from ASA

where 192.168.50.220 is server IP

192.168.51.1 is ASA IP

Need to know if issue is at ASA or server side?

Regards

MAhesh

Jouni Forss · ‎07-26-2013

Hi,

Atleast the message tells us that the ASA resets the TCP connection.

Have you seen any other logs in addition to these?

Some sources suggest that there is a missmatch between the encryption the clients browser and ASA supports.

Here is a document about ASDM troubleshooting

https://supportforums.cisco.com/docs/DOC-15016

You can use the command

show run all ssl

to view what is configured on the ASA side.

- Jouni

View solution in original post

Jouni Forss · ‎07-26-2013

Hi,

I have never used CSM so I don't know much about how it works with the ASA.

I would imagine that there is perhaps some configuration related problem between the CSM and the ASA.

Are you getting any error messages on the CSM to hint what the problem might be?

Have you allowed the CSM source address with the command

http

I think that is required atleast.

- Jouni

View solution in original post

Jouni Forss · ‎07-29-2013

Hi,

I would imagine that you might need to debug the HTTP connection and possibly the AAA.

Again I have to say that I have never setup or used CSM so I have no knowledge of it and can only guess.

I would imagine that the CSM uses some username/password to log into the ASA? If so, have you confirmed that there is no typing errors on the username/password?

Naturally you can also capture the traffic on the ASA and on the server and see if that gives any hint of the problem.

- Jouni

View solution in original post

Jouni Forss · ‎07-26-2013

Hi,

Atleast the message tells us that the ASA resets the TCP connection.

Have you seen any other logs in addition to these?

Some sources suggest that there is a missmatch between the encryption the clients browser and ASA supports.

Here is a document about ASDM troubleshooting

https://supportforums.cisco.com/docs/DOC-15016

You can use the command

show run all ssl

to view what is configured on the ASA side.

- Jouni

mahesh18 · ‎07-26-2013

Hi Jouni,

These are only logs which i see again and again when i try https connection.

Its between cisco csm server and ASA.

Other thing is that https connection works fine between PC and Server which goes via same ASA.

Regards

Mahesh

mahesh18 · ‎07-26-2013

Hi Jouni,

sh run all ssl shows

ssl server-version any

ssl client-version any

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

Thanks

MAhesh

Jouni Forss · ‎07-26-2013

Hi,

I have never used CSM so I don't know much about how it works with the ASA.

I would imagine that there is perhaps some configuration related problem between the CSM and the ASA.

Are you getting any error messages on the CSM to hint what the problem might be?

Have you allowed the CSM source address with the command

http

I think that is required atleast.

- Jouni

mahesh18 · ‎07-26-2013

Hi Jouni,

How CSM works is that we add ASA into CSM so then CSM try to connects to ASA via https.

I have already config http server ip mask int on ASA.

These are the messages i get on CSM when i try to add ASA via https

i get error https

Connectivity Test Failed. Time Elapsed: 127 seconds. Unable to Communicate With Device No response to connection attempt to this device Please verify the following and then retry this operation. (1) The device "IP address", Communication Protocol Mode and Port are correct.

(2) There is network connectivity between the CS Manager server and the device.

(3) The device is configured to accept http/https connections. To Discover IPS policies from IOS or IPS devices the http/https connections should be enabled otherwise IPS policy discovery should be disabled.

(4) The device is running.

Regards

MAhesh

mahesh18 · ‎07-29-2013

Hi Jouni,

Will packet capture help to identify why ASA is resetting the connection?

Regards

MAhesh

Jouni Forss · ‎07-29-2013

Hi,

I would imagine that you might need to debug the HTTP connection and possibly the AAA.

Again I have to say that I have never setup or used CSM so I have no knowledge of it and can only guess.

I would imagine that the CSM uses some username/password to log into the ASA? If so, have you confirmed that there is no typing errors on the username/password?

Naturally you can also capture the traffic on the ASA and on the server and see if that gives any hint of the problem.

- Jouni

mahesh18 · ‎07-29-2013

Hi Jouni,

Issue is fixed from CSM server i need to add the IP of ASA interface where server connects but i was actually adding

the IP of ASA hostname.

Best regards

MAhesh