08-13-2013 07:22 PM - edited 03-11-2019 07:25 PM
Hi Everyone,
I am trying to access url below here are fw logs from home ASA
Aug 13 2013 20:18:41: %ASA-6-305011: Built dynamic TCP translation from DMZ:192.168.70.3/1360 to outside:192.168.71.2/1360
Aug 13 2013 20:18:41: %ASA-6-302013: Built outbound TCP connection 17717 for outside:140.98.193.112/80 (140.98.193.112/80) to DMZ:192.168.70.3/1360 (192.168.71.2/1360)
Aug 13 2013 20:18:41: %ASA-5-304001: 192.168.70.3 Accessed URL 140.98.193.112:http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=01162058&url=http%3A%2F%2Fieeexplore.ieee.org%2Fstamp%2Fstamp.jsp%3Farnumber%3D01162058
Aug 13 2013 20:18:41: %ASA-6-305011: Built dynamic TCP translation from DMZ:192.168.70.3/1361 to outside:192.168.71.2/1361
Aug 13 2013 20:18:41: %ASA-6-302013: Built outbound TCP connection 17718 for outside:140.98.193.169/80 (140.98.193.169/80) to DMZ:192.168.70.3/1361 (192.168.71.2/1361)
Aug 13 2013 20:18:41: %ASA-6-305011: Built dynamic TCP translation from DMZ:192.168.70.3/1362 to outside:192.168.71.2/1362
Aug 13 2013 20:18:41: %ASA-6-302013: Built outbound TCP connection 17719 for outside:208.92.236.82/80 (208.92.236.82/80) to DMZ:192.168.70.3/1362 (192.168.71.2/1362)
Aug 13 2013 20:18:41: %ASA-6-305011: Built dynamic TCP translation from DMZ:192.168.70.3/1363 to outside:192.168.71.2/1363
Aug 13 2013 20:18:41: %ASA-6-302013: Built outbound TCP connection 17720 for outside:140.98.193.169/80 (140.98.193.169/80) to DMZ:192.168.70.3/1363 (192.168.71.2/1363)
Aug 13 2013 20:18:41: %ASA-6-305011: Built dynamic TCP translation from DMZ:192.168.70.3/1364 to outside:192.168.71.2/1364
Aug 13 2013 20:18:41: %ASA-6-302013: Built outbound TCP connection 17721 for outside:140.98.193.112/443 (140.98.193.112/443) to DMZ:192.168.70.3/1364 (192.168.71.2/1364)
Aug 13 2013 20:18:41: %ASA-6-302014: Teardown TCP connection 17719 for outside:208.92.236.82/80 to DMZ:192.168.70.3/1362 duration 0:00:00 bytes 1421 TCP FINs
Aug 13 2013 20:18:41: %ASA-6-305012: Teardown dynamic TCP translation from DMZ:192.168.70.3/1362 to outside:192.168.71.2/1362 duration 0:00:00
Aug 13 2013 20:18:41: %ASA-6-305011: Built dynamic TCP translation from DMZ:192.168.70.3/1365 to outside:192.168.71.2/1365
Aug 13 2013 20:18:41: %ASA-6-302013: Built outbound TCP connection 17722 for outside:140.98.193.112/443 (140.98.193.112/443) to DMZ:192.168.70.3/1365 (192.168.71.2/1365)
Aug 13 2013 20:18:47: %ASA-6-302014: Teardown TCP connection 17722 for outside:140.98.193.112/443 to DMZ:192.168.70.3/1365 duration 0:00:05 bytes 415 TCP FINs
Aug 13 2013 20:18:47: %ASA-6-305012: Teardown dynamic TCP translation from DMZ:192.168.70.3/1365 to outside:192.168.71.2/1365 duration 0:00:05
Aug 13 2013 20:18:47: %ASA-6-302014: Teardown TCP connection 17720 for outside:140.98.193.169/80 to DMZ:192.168.70.3/1363 duration 0:00:05 bytes 0 TCP FINs
Aug 13 2013 20:18:47: %ASA-6-305012: Teardown dynamic TCP translation from DMZ:192.168.70.3/1363 to outside:192.168.71.2/1363 duration 0:00:05
Where 192.168.70.3 is my pc ip.
Seems to confirm here that above logs tell the issue with specfic url of the website?
Regards
MAhesh
Solved! Go to Solution.
08-13-2013 08:29 PM
Hello Mahesh,
It shows that the session was gracefully shutdown or closed via TCP FIN packets.
If you do a capture asp you should not see any packet..
Teardown TCP connection 17719 for outside:208.92.236.82/80 to DMZ:192.168.70.3/1362 duration 0:00:00 bytes 1421 TCP FINs
Looks like the FIN packets are being innitiated from the Server side (Way to confirm it is via Packet-Captures my friend)
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-14-2013 08:55 PM
Hello Mahesh,
I refered to the captures on pcap format
But here is the interesting fact based on that capture: On packet 135 we can see the server gracefully closing the connection with a FIN packet.
140.98.193.112.80 > 192.168.71.82.2434: F
That happen after a lot of packets exchanged between those 2 hosts
Can you do
cap asp type asp-drop all circular-buffer
Then attempt to connect and finally provide us the following output
show cap asp | include 140.98.193.112
This will let us know if the ASA is dropping any packets but I honestly do no think so
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-14-2013 10:22 PM
Hello,
Any capture that is type asp-drop will basically show the packets being dropped by the ASA.
In this case we can see that the ASA is not the one dropping the traffic so there is some reason out of the scope of the ASA (On the server side) that is causing the server to close gracefully the connection with a FIN packet.
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-13-2013 08:29 PM
Hello Mahesh,
It shows that the session was gracefully shutdown or closed via TCP FIN packets.
If you do a capture asp you should not see any packet..
Teardown TCP connection 17719 for outside:208.92.236.82/80 to DMZ:192.168.70.3/1362 duration 0:00:00 bytes 1421 TCP FINs
Looks like the FIN packets are being innitiated from the Server side (Way to confirm it is via Packet-Captures my friend)
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-13-2013 09:35 PM
Hi Julio,
I will do the packet capture and keep you posted.
Regards
MAhesh
08-13-2013 09:36 PM
Hello Mahesh,
Be my guest,
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-14-2013 07:12 PM
Hi Julio,
I have attached the packet capture under the first.
LEt me know which things to look for?
PC IP 192.168.70.2
Natted IP 192.168.71.82
Regards
Mahesh
08-14-2013 08:55 PM
Hello Mahesh,
I refered to the captures on pcap format
But here is the interesting fact based on that capture: On packet 135 we can see the server gracefully closing the connection with a FIN packet.
140.98.193.112.80 > 192.168.71.82.2434: F
That happen after a lot of packets exchanged between those 2 hosts
Can you do
cap asp type asp-drop all circular-buffer
Then attempt to connect and finally provide us the following output
show cap asp | include 140.98.193.112
This will let us know if the ASA is dropping any packets but I honestly do no think so
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-14-2013 09:40 PM
Hi Julio,
I try that command output is blank
ciscoasa# show cap asp | include 140.98.193.112
ciscoasa# show cap asp | include 140.98.193.112
ciscoasa# show cap asp | include 140.98.193.112
ciscoasa# show cap asp | include 140.98.193.112
ciscoasa# show cap asp | include 140.98.193.112
ciscoasa# show cap asp | include 140.98.193.112
ciscoasa# show cap asp | include 140.98.193.112
ciscoasa# show cap asp | include 140.98.193.112
ciscoasa# show cap asp | include 140.98.193.112
What does above command do ?
Regards
MAhesh
08-14-2013 10:22 PM
Hello,
Any capture that is type asp-drop will basically show the packets being dropped by the ASA.
In this case we can see that the ASA is not the one dropping the traffic so there is some reason out of the scope of the ASA (On the server side) that is causing the server to close gracefully the connection with a FIN packet.
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-15-2013 05:41 PM
Thanks Julio for help.
Best Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide