04-09-2017 04:45 AM - edited 03-12-2019 02:12 AM
Hello Guy,
I recently set up a Cisco ASA 9.x for a finical institution in the New DC and because theis project still on the implementation phase i yet to implement any form restriction on the ASA.
I have no VPN,NAT connection on the ASA. i have allowed traffic between zones on the asa by permitting ip any any on my inside interface.
Since the project still in a migration phase asked we are passing traffic from the serverfarm on the inside zone (successfully migrated servers from the old DC to the New DC).
The Serverfarm is protected by a Palo Alot fw which also is also in a pass through mode so all out and inbound connection is allowed.
The migration plane is to have a connection on the ASA located on the new DC to the old network terminated on a 6509 (core of the old DC) of the finical institution.
The old network still holds the route to in-country branches and also Affiliates which are located to the outside the country through a VPN tunnel and also it’s the internet breakaway for the network.
I have established full connectivity between the New and old network and also to the Branches, Affiliates through the static Route on the ASA pointing to 6509 (core of the old DC) connection.
My challenge is when servers from the New DC try to establish TCP connections between host on the inside to the Old DC it build the connection then tear it dowm
So the ASA sends the SNY across but the ACK so it Tears down the connection
5# sh log | i 10.2.173.29
%ASA-6-302014: Teardown TCP connection 290051329 for Old-Net:10.2.173.29/3306 to inside:10.4.176.173/34610 duration 0:00:00 bytes 0 TCP Reset-O
%ASA-6-302014: Teardown TCP connection 290051332 for Old-Net:10.2.173.29/3306 to inside:10.4.176.173/34611 duration 0:00:00 bytes 0 TCP Reset-O
%ASA-6-302014: Teardown TCP connection 290051335 for Old-Net:10.2.173.29/3306 to inside:10.4.176.173/34612 duration 0:00:00 bytes 0 TCP Reset-O
%ASA-7-609002: Teardown local-host Ecobank:10.2.173.29 duration 0:00:00
Sh route 10.2.173.29
Routing entry for 10.2.0.0 255.255.0.0
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 10.3.201.134, via Old-Net
Route metric is 0, traffic share count is 1
sh asp drop
Frame drop:
Invalid TCP Length (invalid-tcp-hdr-length) 4
Invalid UDP Length (invalid-udp-length) 4
No valid adjacency (no-adjacency) 839971
No route to host (no-route) 13110842
Reverse-path verify failed (rpf-violated) 98
Flow is denied by configured rule (acl-drop) 609829
First TCP packet not SYN (tcp-not-syn) 2044354
Bad TCP flags (bad-tcp-flags) 1
TCP failed 3 way handshake (tcp-3whs-failed) 303376
TCP RST/FIN out of order (tcp-rstfin-ooo) 1331302
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 60
TCP packet SEQ past window (tcp-seq-past-win) 1973
TCP invalid ACK (tcp-invalid-ack) 24
TCP Out-of-Order packet buffer full (tcp-buffer-full) 278
TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 59731
TCP RST/SYN in window (tcp-rst-syn-in-win) 452
TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 236
TCP packet failed PAWS test (tcp-paws-fail) 89
Connection limit reached (conn-limit) 3
Slowpath security checks failed (sp-security-failed) 15798
Expired flow (flow-expired) 3
ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn) 3
DNS Inspect invalid domain label (inspect-dns-invalid-domain-label) 2
DNS Inspect packet too long (inspect-dns-pak-too-long) 23
DNS Inspect id not matched (inspect-dns-id-not-matched) 2683
FP L2 rule drop (l2_acl) 785152
Unable to obtain connection lock (connection-lock) 1
Interface is down (interface-down) 991
Dropped pending packets in a closed socket (np-socket-closed) 8868
Last clearing: Never
Flow drop:
Inspection failure (inspect-fail) 18590
04-09-2017 08:01 AM
TCP Reset-O meaning means that the firewall saw a RST packet come from the outside host. At this point the firewall will remove the connection from its connection table and no further packets will pass. This should be investigated on outside host.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide