Solved: Teardown TCP connection

mahesh18 · ‎01-14-2015

Hi Everyone,

We have issue here where user PC cannot access some server.

I need to confirm that issue is not on Network side.

Here is logs

%ASA-6-302014: Teardown TCP connection 612704566 for dmz:10.60.34.49/1855 to Net:172.31.164.96/50675 duration 0:00:03 bytes 122251 TCP FINs

%ASA-6-302013: Built outbound TCP connection 612704978 for dmz:10.60.34.49/1855 (10.64.34.49/1855) to Net:172.31.164.96/50678 (10.16.101.1/6452)

where 172.31.164.96 is is IP of user PC

Regards

Mahesh

Julio Carvajal · ‎01-14-2015

Hello,

Based on the logs it looks like the connection is being torn down gracefully by TCP FINs.. It does not look like the ASA is the culprit here.

My recommendation would be to create 3 captures

one in the DMZ

One in the Net

and One ASP capture to determine whether the ASA is dropping some packets or not!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Jouni Forss · ‎01-15-2015

Hi Mahesh,

It seems the log messages you posted are not related to the same connection. After the section "TCP connection" in the log message you will see a number/ID and this has to match in the Built and Teardown messages.

I would however guess that since both of the connections are clearly using the same destination port from the Clients perspective and since the Teardown reason is TCP FINs that with regards to this TCP connection there has been no problem related to the firewall.

One basic check that you could do in addition to the traffic captures is that you check the ASDM logs for the server/client while the client is attempting the connection and see if there is any other TCP/UDP port related to this connection that might get blocked.

With regards to the traffic captures you can either do all of them on the ASA or the 2 captures can be done on the actual client/server depending which is easier for you.

- Jouni

View solution in original post

Julio Carvajal · ‎01-14-2015

Hello,

Based on the logs it looks like the connection is being torn down gracefully by TCP FINs.. It does not look like the ASA is the culprit here.

My recommendation would be to create 3 captures

one in the DMZ

One in the Net

and One ASP capture to determine whether the ASA is dropping some packets or not!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎01-14-2015

Hi Julio,

When you say create 3 captures does it mean that on

DMZ -- server---Run wireshark there

NET---PC --Run wireshark

ASA run packet capture there?

Regards

MAhesh

Jouni Forss · ‎01-15-2015

Hi Mahesh,

It seems the log messages you posted are not related to the same connection. After the section "TCP connection" in the log message you will see a number/ID and this has to match in the Built and Teardown messages.

I would however guess that since both of the connections are clearly using the same destination port from the Clients perspective and since the Teardown reason is TCP FINs that with regards to this TCP connection there has been no problem related to the firewall.

One basic check that you could do in addition to the traffic captures is that you check the ASDM logs for the server/client while the client is attempting the connection and see if there is any other TCP/UDP port related to this connection that might get blocked.

With regards to the traffic captures you can either do all of them on the ASA or the 2 captures can be done on the actual client/server depending which is easier for you.

- Jouni

mahesh18 · ‎01-17-2015

Hi Jouni,

Nice to see reply from you after long time.

The issue is fixed.The application team ran some update script for the application

running on the user PC and after that connection from user PC was established to server fine.

Regards

MAhesh