That syslogs says that the reset packet certainly came from the higher security interface. It could be the host IP listed in the syslog or some other host (ex. websense server or other content scanning devices) that lives behind the higer security interface.

Only way to verify which mac address sent the reset is by capturing on the ASA for the interesting traffic on the inside interface.

You may find that the reset came from the router on the inside in which case you can go one hop down and collect captures to see where the router may have received the reset packet.

If you have access to the host collect wireshark capture on the host itself and see if it sends a reset.

Refer this link to configure cature on the ASA:

https://supportforums.cisco.com/docs/DOC-1222;jsessionid=A11197443F5D79D04565C4331EFA5806.node0

-KS

Hi guys,

I am really confused about reset-i and reset-o in asa. Please anyone help me out what is exact difference or else share good document to refer.

Thanks 

Hi Vignesh,

Inbound Reset—Shows the interface reset setting for inbound TCP traffic, Yes or No. Enabling this setting causes the ASA to send TCP resets for all inbound TCP sessions that attempt to transit the ASA and are denied by the ASA based on access lists or AAA settings. Traffic between same security level interfaces is also affected. When this option is not enabled, the ASA silently discards denied packets.

–Outbound Reset—Shows the interface reset setting for outbound TCP traffic, Yes or No. Enabling this setting causes the ASA to send TCP resets for all outbound TCP sessions that attempt to transit the ASA and are denied by the ASA based on access lists or AAA settings. Traffic between same security level interfaces is also affected. When this option is not enabled, the ASA silently discards denied packets.

Check this link:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/asdm64/configuration_guide/asdm_64_config/protect_tools.html

Regards,

Aditya

Please rate helpful posts.

Any new info on this ?

Same sort of issue but one added strangeness (or maybe not).

- (Webapplication-)Server in England

- Connection tested from

* Client Site (ASA 5510, 8.3.1)

* Our own site (ASA 5510, 8.2.2)

* a few home connections

- Tested with

* Windows OS

* Mac OS X

* Linux Ubuntu 10.10

Windows + ASA no problem

Mac OS X + ASA TCP Reset-I, lost connection stuck brower, session not usable anymore

Linux + ASA same as Mac OS X

Windows + Mac behind "$10 dollar router" from home location no problem

Haven't tested linux at home yet but don't think it will differ from Mac OS X when used from home.

I see a slight difference between a linux sessions and a windows session:

The windows sessions opens a few ports straight after eachother and and after the data is received I see teardowns and with the linux sessions it seems less "organized" and connections get a teardown when they still are waiting for data.

I was already yelling it was a Windows/ISS conspiracy ;-) but it happens to be an Apache server at the otherside.....

Would you pls. spin up a new thread? I hope you are not talking about the same ASA as the original poster and the same syslogs.

Pls. post the following:

- syslogs from the ASA

- ingress and egress captures

From the sound of it - you may have to open a TAC case as it might take a lot of time to review captures.

Thanks,

KS

Thx for the reply.

Ok I'll add another discussion. Want to add one thing:

Linux + Opera seems to be working okay. After googling it seems Firefox and Safari handle TCP Reset differently.

Thx for the reply.

Sorry for adding another post but I had to share this.

This link gave me a trigger:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpnorm.html

- Made a Policy on the WAN interface

- matching traffic from the website (added traffic to later)

- under rule actions checked TCP state bypass

Now traffic travels straight to the client. For this traffic the default handling of TCP packets of the ASA is interfering.

It seems all is working ok now but haven't tested it on-site yet but at least it's working without denies and sudden teardowns.

Now I'll shut up :-)

TCP RESET-I Connection in ASA 5520

Hi,

There is a problem with asa, when i try to ftp from ASA outside to inside it is given a error  "Teardown TCP connection 3176925 for Outside:172.18.5.117/3060 to inside:192.166.5.109/1526 duration 0:00:00 bytes 0 TCP Reset-I". but we are able to mstsc from outside to in side. and we are also apply access-list permit ip any any. But we are not able to ftp from outside to inside.

Hello,

To all of you guys, packet captures and logs never lie,

The best way to troubleshoot this cases is by taking captures on the ASA's interfaces in place on this communication and checking the logs as much as possible,

Regards

First of all, that seems like a proxy server, second, should the server be able to respond to such address, meaning do you have any restrictions on the server, does the server know how to route to the VPN client