01-16-2014 02:35 PM - edited 03-11-2019 08:31 PM
Hi everyone
hope you can help me with this issue. I´m having problems when connecting to a web service on a device. My ASA has 3 active interfaces, one for the headquarter inside network (inside), one for the ISP connection (outside) and one for the remote sites that connects through a MPLS (WAN). I´m trying to stablish a connection to a web service on a printer from my headquarter to a remote office (from inside to WAN); but I´m having random error messages on the ASA´s monitor.
if I try to connect from my laptop I got this messages
this is the connection from the inside to the WAN interface.
this one shows the the connection has been stablish. No problems so far.
But when I try to connect from another PC I receive this messages
this are the messages from inside to WAN
this image shows that the connection has been reset. So no connection has been stablish between the devices. What does the Reset-O means? but sometimes I do not receive the TCP Reset-O message sometimes we get the TCP Reset-I message.
you can see the TCP Rese-I message on the first Row.
Not so sure what is going on. some computer are able to access the web service other don´t. I also do some testing, use my ip address (that works fine) in the other PC, but the problem persist, even with my ip address. Antivirus, Windows firewall, antimalware, all are shutdown.
All computer on the remote office can localy access the service with no problem. however, they have problems accesing some service on the headquarters.
I have ACL in both, the inside and WAN interface that allowes communication between they, using the Packet Tracer tool on the ASDM I can se that the package are allowed in every port number, because I´m allowing all traffic with no exception.
can anyone help me with this?
Best Regards
Alvaro Rugama Cerda
Solved! Go to Solution.
01-17-2014 09:11 AM
Hello Alvaro,
On the outside capture
Starting at packet 24 we can see how the Printer starts the TCP Graceful closure with the FIN packet.Packet 26 shows that the Client agreed the closure of the session and sends the FIN packet to close it.
Having 0 packets on the ASP capture means the ASA is not dropping the connection (ASP capture will show all of the packets being droped by the ASA).
Any other question?
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-16-2014 05:54 PM
Hello Alvaro,
Reset-O means that the Outside host send a reset
Reset-I the inside host did it
I also see a graceful closure of the session via TCP Fins.
My recommendation would be to focus on a single connection while taking captures (Captures dont't lie man)
cap capin interface inside match ip host x.x.x.x (Inside PC) host x.x.x.x (Printer IP)
cap capout interface outside match ip host x.x.x.x (Inside PC on the outside world, check for any NAT) host x.x.x (Printer IP)
cap asp type asp-drop all circular-buffer.
Then try to connect (Only once) and provide
show cap capin
show cap capout
show cap asp | include x.x.x.x (printer ip add)
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-17-2014 07:31 AM
Thank you Julio
Will check this information today. I will update if I find something new.
Best Regards
Alvaro Rugama
01-17-2014 08:52 AM
this is the log that I get from the machine that can´t connect to the printer.
-------------------------------------------SHOW CAPIN-----------------------------------------------------------------------------------
23 packets captured
1: 10:44:05.523471 13.133.244.153.8098 > 13.134.236.204.80: S 1331249432:1331249432(0) win 8192
2: 10:44:05.524829 13.134.236.204.80 > 13.133.244.153.8098: S 845218227:845218227(0) ack 1331249433 win 5840
3: 10:44:05.525592 13.133.244.153.8098 > 13.134.236.204.80: . ack 845218228 win 256
4: 10:44:05.579666 13.133.244.153.8098 > 13.134.236.204.80: P 1331249433:1331249781(348) ack 845218228 win 256
5: 10:44:05.581070 13.134.236.204.80 > 13.133.244.153.8098: . ack 1331249781 win 216
6: 10:44:05.582519 13.134.236.204.80 > 13.133.244.153.8098: P 845218228:845218697(469) ack 1331249781 win 216
7: 10:44:05.584472 13.133.244.153.8100 > 13.134.236.204.443: S 1596782860:1596782860(0) win 8192
8: 10:44:05.584854 13.133.244.153.8101 > 13.134.236.204.443: S 1845707848:1845707848(0) win 8192
9: 10:44:05.585693 13.134.236.204.443 > 13.133.244.153.8100: S 2624789608:2624789608(0) ack 1596782861 win 5840
10: 10:44:05.585907 13.134.236.204.443 > 13.133.244.153.8101: S 2149878517:2149878517(0) ack 1845707849 win 5840
11: 10:44:05.586349 13.133.244.153.8100 > 13.134.236.204.443: . ack 2624789609 win 256
12: 10:44:05.586410 13.133.244.153.8101 > 13.134.236.204.443: . ack 2149878518 win 256
13: 10:44:05.586593 13.133.244.153.8100 > 13.134.236.204.443: P 1596782861:1596783051(190) ack 2624789609 win 256
14: 10:44:05.586685 13.133.244.153.8101 > 13.134.236.204.443: P 1845707849:1845708039(190) ack 2149878518 win 256
15: 10:44:05.587860 13.134.236.204.443 > 13.133.244.153.8100: . ack 1596783051 win 216
16: 10:44:05.587890 13.134.236.204.443 > 13.133.244.153.8101: . ack 1845708039 win 216
17: 10:44:05.738670 13.134.236.204.443 > 13.133.244.153.8101: P 2149879978:2149880670(692) ack 1845708039 win 216
18: 10:44:05.739448 13.134.236.204.443 > 13.133.244.153.8100: P 2624791069:2624791761(692) ack 1596783051 win 216
19: 10:44:05.739555 13.134.236.204.443 > 13.133.244.153.8101: . 2149879954:2149879978(24) ack 1845708039 win 216
20: 10:44:05.740058 13.133.244.153.8101 > 13.134.236.204.443: . ack 2149878518 win 256
21: 10:44:05.740608 13.133.244.153.8100 > 13.134.236.204.443: . ack 2624789609 win 256
22: 10:44:05.740653 13.133.244.153.8101 > 13.134.236.204.443: . ack 2149878518 win 256
23: 10:44:05.779073 13.133.244.153.8098 > 13.134.236.204.80: . ack 845218697 win 254
23 packets shown
-------------------------------------------SHOW CAPWAN-----------------------------------------------------------------------------------
37 packets captured
1: 10:44:05.523624 13.133.244.153.8098 > 13.134.236.204.80: S 1557652677:1557652677(0) win 8192
2: 10:44:05.524798 13.134.236.204.80 > 13.133.244.153.8098: S 3637013201:3637013201(0) ack 1557652678 win 5840
3: 10:44:05.525622 13.133.244.153.8098 > 13.134.236.204.80: . ack 3637013202 win 256
4: 10:44:05.579697 13.133.244.153.8098 > 13.134.236.204.80: P 1557652678:1557653026(348) ack 3637013202 win 256
5: 10:44:05.581039 13.134.236.204.80 > 13.133.244.153.8098: . ack 1557653026 win 216
6: 10:44:05.582489 13.134.236.204.80 > 13.133.244.153.8098: P 3637013202:3637013671(469) ack 1557653026 win 216
7: 10:44:05.584610 13.133.244.153.8100 > 13.134.236.204.443: S 2026842964:2026842964(0) win 8192
8: 10:44:05.584976 13.133.244.153.8101 > 13.134.236.204.443: S 3107277390:3107277390(0) win 8192
9: 10:44:05.585663 13.134.236.204.443 > 13.133.244.153.8100: S 2606863239:2606863239(0) ack 2026842965 win 5840
10: 10:44:05.585876 13.134.236.204.443 > 13.133.244.153.8101: S 257816110:257816110(0) ack 3107277391 win 5840
11: 10:44:05.586380 13.133.244.153.8100 > 13.134.236.204.443: . ack 2606863240 win 256
12: 10:44:05.586425 13.133.244.153.8101 > 13.134.236.204.443: . ack 257816111 win 256
13: 10:44:05.586609 13.133.244.153.8100 > 13.134.236.204.443: P 2026842965:2026843155(190) ack 2606863240 win 256
14: 10:44:05.586700 13.133.244.153.8101 > 13.134.236.204.443: P 3107277391:3107277581(190) ack 257816111 win 256
15: 10:44:05.587829 13.134.236.204.443 > 13.133.244.153.8100: . ack 2026843155 win 216
16: 10:44:05.587875 13.134.236.204.443 > 13.133.244.153.8101: . ack 3107277581 win 216
17: 10:44:05.738639 13.134.236.204.443 > 13.133.244.153.8101: P 257817571:257818263(692) ack 3107277581 win 216
18: 10:44:05.739433 13.134.236.204.443 > 13.133.244.153.8100: P 2606864700:2606865392(692) ack 2026843155 win 216
19: 10:44:05.739540 13.134.236.204.443 > 13.133.244.153.8101: . 257817547:257817571(24) ack 3107277581 win 216
20: 10:44:05.740119 13.133.244.153.8101 > 13.134.236.204.443: . ack 257816111 win 256
21: 10:44:05.740638 13.133.244.153.8100 > 13.134.236.204.443: . ack 2606863240 win 256
22: 10:44:05.740669 13.133.244.153.8101 > 13.134.236.204.443: . ack 257816111 win 256
23: 10:44:05.779103 13.133.244.153.8098 > 13.134.236.204.80: . ack 3637013671 win 254
24: 10:44:15.592376 13.134.236.204.80 > 13.133.244.153.8098: F 3637013671:3637013671(0) ack 1557653026 win 216
25: 10:44:15.593627 13.133.244.153.8098 > 13.134.236.204.80: . ack 3637013672 win 254
26: 10:44:25.584930 13.133.244.153.8098 > 13.134.236.204.80: F 1557653026:1557653026(0) ack 3637013672 win 254
27: 10:44:25.585998 13.134.236.204.80 > 13.133.244.153.8098: . ack 1557653027 win 216
28: 10:44:35.588821 13.133.244.153.8100 > 13.134.236.204.443: F 2026843155:2026843155(0) ack 2606863240 win 256
29: 10:44:35.588989 13.133.244.153.8101 > 13.134.236.204.443: F 3107277581:3107277581(0) ack 257816111 win 256
30: 10:44:35.590164 13.134.236.204.443 > 13.133.244.153.8101: F 257818263:257818263(0) ack 3107277582 win 216
31: 10:44:35.590713 13.134.236.204.443 > 13.133.244.153.8100: F 2606865392:2606865392(0) ack 2026843156 win 216
32: 10:44:35.591659 13.133.244.153.8101 > 13.134.236.204.443: . ack 257816111 win 256
33: 10:44:35.591689 13.133.244.153.8100 > 13.134.236.204.443: . ack 2606863240 win 256
34: 10:45:20.588317 13.133.244.153.8100 > 13.134.236.204.443: . 2026843155:2026843156(1) ack 2606863240 win 256
35: 10:45:20.589462 13.134.236.204.443 > 13.133.244.153.8100: . ack 2026843156 win 216
36: 10:45:20.596969 13.133.244.153.8101 > 13.134.236.204.443: . 3107277581:3107277582(1) ack 257816111 win 256
37: 10:45:20.597884 13.134.236.204.443 > 13.133.244.153.8101: . ack 3107277582 win 216
37 packets shown
-------------------------------------------SHOW CAPASP-----------------------------------------------------------------------------------
with this command there is no result with the printer's ip
Best Regards
01-17-2014 09:11 AM
Hello Alvaro,
On the outside capture
Starting at packet 24 we can see how the Printer starts the TCP Graceful closure with the FIN packet.Packet 26 shows that the Client agreed the closure of the session and sends the FIN packet to close it.
Having 0 packets on the ASP capture means the ASA is not dropping the connection (ASP capture will show all of the packets being droped by the ASA).
Any other question?
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-17-2014 09:38 AM
Thank you again Julio for your support.
I´m just wondering what could it be droping that connection. Because some computers can access the web, others (on the same network) don´t.
I'm guessing that some device on the MPLS Provider is droping them. because this example is just with one printer, but in reality those computer connot access all my remote printers, and the printers can not access one service that we are running here.
Thank you very much.
Best Regards.
Alvaro Rugama
01-17-2014 09:40 AM
Hello Alvaro,
You should start taking captures close to the printer to see if it's really the printer the one that closes it or not.
Hey remember to rate all of the helpful posts, let me know if you do not know how
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-20-2014 07:13 AM
Just for information about what my problem was.
Apparently the printer that we had in the remote office had the MTU configure in 1300, that's why we couldn´t load the web page.
Thank you for the information that you provide me.
Best Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide