cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1595
Views
0
Helpful
2
Replies

TCP Reset -I ASA Packet capture output and Mac address info

mahesh18
Level 6
Level 6

 

Hi Everyone,

 

I was troubleshooting the ASA issue where user was getting TCP reset I

I did packet capture on both directions and when i check packet detail it showed vlan info and 2 mac addresses with message FLAG R.

I found that first mac address  and vlan info was of next hop IP address and second mac address was of another firewall which was sending the Reset.

 

Need to confirm with experts here that TCP Reset I always show mac address of next hop and device which send the request?

 

Regards

MAhesh

 

 

1 Accepted Solution

Accepted Solutions

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

So , what you would have seen would be Src/Dest IP address , Src/Dest MAC address.

Now , if the Source VLAN from where the RESET is coming is in the same subnet as the ASA interface on which the traffic is seen , then the SOURCE VLAN device is sending the RESET otherwise if the SOURCE VLAN information is in different Subnet , then the RESET is being relayed by the L3 Hop in between.

If you can post the actual logs or snap , i would be able to relate it in a better way for you.
FYI:- TCP RESET-I will only be seen when the RESET flag is received from the device on the higher Security Interface.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

2 Replies 2

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

So , what you would have seen would be Src/Dest IP address , Src/Dest MAC address.

Now , if the Source VLAN from where the RESET is coming is in the same subnet as the ASA interface on which the traffic is seen , then the SOURCE VLAN device is sending the RESET otherwise if the SOURCE VLAN information is in different Subnet , then the RESET is being relayed by the L3 Hop in between.

If you can post the actual logs or snap , i would be able to relate it in a better way for you.
FYI:- TCP RESET-I will only be seen when the RESET flag is received from the device on the higher Security Interface.

Thanks and Regards,

Vibhor Amrodia

Many thanks

 

MAhesh

Review Cisco Networking for a $25 gift card