Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5033
Views
0
Helpful
2
Replies

TCP reset on ASA

kamrannaseem1
Level 1
Level 1

‎10-12-2018 05:31 AM - edited ‎02-21-2020 08:20 AM

Hi All,

 

We are getting  TCP Reset-I and TCP Reset-O messages in the logs.

We like to know which end is sending that and where the problem lies ?

 

Any help would be much appreciated.

 

Please find the attached logs.

 

 

TCP Reset.PNG

Thanks.

 

 

0 Helpful
2 Replies 2

Ajay Saini
Level 7
Level 7

‎10-13-2018 08:14 PM

Hello,

 

The reset-I indicates a reset packet coming from a higher security interface and reset-O coming from lower security interface.

 

Generally speaking, RST does not always means an issue. Sometimes, the RST packet is a normal communication mechanism. If you wish to identify the complete TCP stream, better take wireshark based captures on both ingress and egress interface on ASA and follow the TCP stream:

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html

 

https://community.cisco.com/t5/security-documents/asa-using-packet-capture-to-troubleshoot-asa-firewall/ta-p/3129889

 

HTH
AJ

0 Helpful

mkazam001
Level 3
Level 3

‎11-03-2018 04:36 PM

There are a two common ways that a TCP connection can be torn down. The polite way (FIN) and the (Reset). Tearing down TCP connections is a good thing as long as it is not actively in use, or won’t be needed in the very near future. We want each side of the conversation to open up the resources for other connections rather than maintaining idle ones in an active state.

In most cases, we want to see FINs tear down a connection rather than resets. However there are some examples of normal behavior where a reset is sent rather than a FIN.

f a RST happens abruptly, mid-stream in a TCP connection, this is something to worry about. Likely, the user experienced an application disconnect, or had a problem starting the app in the first place. These can be a result of a load-balancer, firewall, or router in the middle that is timing the connection out prematurely, or can be an application problem on the server side. Clients can also generate these on-demand by stopping a page from loading manually - depending on the browser used.

If the TCP RST is sent right after the SYN, it could mean the port is not open.

 

Hope that helps.

Azam

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card