Solved: TCP Reset -I, O and ACK while accessing https site

mahesh18 · ‎05-16-2013

Hi All,

I was trying to open some https website from my pc.

When i open it browser shows internet explorer can not open the page.

Here are the logs

Deny TCP (no connection) from 200.x.x.x/443 to 201.x.x.x/42452 flags ACK on interface outside

Teardown TCP connection 21045292 for outside:200.x.x.x/443 to Net:192.168.50.107/62551 duration 0:00:22 bytes 146 TCP Reset-I

Teardown TCP connection 21045294 for outside:200.x.x.x/443 to Net:192.168.50.107/62552 duration 0:00:00 bytes 58 TCP Reset-O

192.168.50.107 Accessed URL 200.x.x.x:https://200.x.x.x/

Built outbound TCP connection 21045291 for outside:200.x.x.x/443 (200.x.x.x/443) to Net:192.168.50.107/62550 (201.x.x.x/17887)

access-list Net_01 permitted tcp Net/192.168.50.107(62550) -> outside/200.x.x.x(443) hit-cnt 1 first hit [0x880712ea, 0x0]

Where 192.168.50 is PC IP

Website IP is 200.x.x.

where 201.x.x.x is Public IP of PC

Log shows all the TCP resets like from outside and inside .

Need to know if issue is from this website or it is issue with our ASA?

thanks

mahesh

Luis Silva Benavides · ‎05-16-2013

Mahesh,

Could you please place a capture on the inside and outside interface?

Luis Silva

View solution in original post

Luis Silva Benavides · ‎05-16-2013

Hi,

I actually asking you to use the capture command available on the ASA

Please refer to this information:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

Luis Silva

View solution in original post

Luis Silva Benavides · ‎05-17-2013

Mahesh,

Based on the inside capture you provided I noticed that most of the times the remote server is resetting the connection and you can see an example below:

325: 18:43:59.078334 802.1Q vlan#1 P0 200.x.x.x.443 > 192.168.52.5.3278: R 3245272791:3245272791(0) ack 4261117805 win 9818

The fact the you are also unable to access the site from home confirms that the issue shoudn't be related to the ASA

Thanks,

Luis Silva

View solution in original post

Luis Silva Benavides · ‎05-17-2013

Hi,

Yes, the R is for Reset so when you read the capture you can notice that the first IP address is the one that generates the RST (reset) packet and the second IP address is where the packet is going, in your case the internal IP address.

When say the remote server I mean the web site

Luis Silva

View solution in original post

Luis Silva Benavides · ‎05-16-2013

Mahesh,

Could you please place a capture on the inside and outside interface?

Luis Silva

mahesh18 · ‎05-16-2013

Hi Luis,

Its on the production network so i have to get permission on this first.

When you say to take capture is this ACL ok for this

access-list Inside extended permit tcp host 192.168.50.107 host 200.x.x.x eq 443 log

access-list Inside extended permit tcp host 200.x.x.x eq 443 host 192.168.50.107 log

access-group Inside in interface inside

then for outside interface i can do this

access-group Inside in interface outside

Will this ACL work and is direction for inside to outside is ok?

There is no other way to tell it is issue with ASA or remote website?

Thanks

Mahesh

Luis Silva Benavides · ‎05-16-2013

Hi,

I actually asking you to use the capture command available on the ASA

Please refer to this information:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

Luis Silva

mahesh18 · ‎05-16-2013

Hi Luis,

I was unable to use the ASDM it was not capturing anything.

Anyway i tried to open same site from my home network and i was unable to open it.

so this shows issue with website as now i tried from my home network.

I did packet capture from CLI on my home ASA.

I attached the file under original post.

Let me know what you find in the packet capture?

PC IP 192.168.52.5

Outside interface of ASA 192.168.11.2

Website 200.x.x.x/443

Thanks

Message was edited by: mahesh parmar

Luis Silva Benavides · ‎05-17-2013

Mahesh,

Based on the inside capture you provided I noticed that most of the times the remote server is resetting the connection and you can see an example below:

325: 18:43:59.078334 802.1Q vlan#1 P0 200.x.x.x.443 > 192.168.52.5.3278: R 3245272791:3245272791(0) ack 4261117805 win 9818

The fact the you are also unable to access the site from home confirms that the issue shoudn't be related to the ASA

Thanks,

Luis Silva

mahesh18 · ‎05-17-2013

Hi Luis,

When you say the remote server is resetting the connection -- what do you look in above line that shows it is Reset

does the R shows it is Reset?

Also 200.x.x.x>192.168.52.5 does this shows that it is remote server is resetting the connection?

Thanks

Mahesh

Luis Silva Benavides · ‎05-17-2013

Hi,

Yes, the R is for Reset so when you read the capture you can notice that the first IP address is the one that generates the RST (reset) packet and the second IP address is where the packet is going, in your case the internal IP address.

When say the remote server I mean the web site

Luis Silva

mahesh18 · ‎05-17-2013

Hi Luis,

Many thanks for all the help

Mahesh