ā05-06-2013 01:28 PM - edited ā03-11-2019 06:39 PM
hi everyone,
unable to connect to device on port 27000.
here are logs
: %ASA-6-302013: Built inbound TCP connection 69552007 for X:172.x.x.x/64755 (172.x.x.x/64755) to Y:172.x.x.x/27000 (172.x.x.x/27000)
%ASA-6-302014: Teardown TCP connection 69550694 for X:172.x.x.x/64753 to Y:172.x.x.x/27000 duration 0:00:30 bytes 0 SYN Timeout
i am coming from x to y interface of asa.
need to confirm if the issue is from remote device?
ASA log shows hit counts while connected to server.
but for return traffic there are no hit counts?
Thanks
mahesh
Solved! Go to Solution.
ā05-06-2013 01:35 PM
Hi Mahesh,
This indeed seems like an issue with remote device (if it is directly connected), either device not listening on 27000 or incorrect DG on device. In a nutshell, there is no response seen to initial SYN sent by client.
Apply captures on ingress and egress and that should clarify this.
-
Sourav
ā05-06-2013 01:43 PM
Hi,
I am not sure if I understood you correctly.
But in a nutshell, you only open ports in the interface ACL behind which the connections are initiated from. You wont have to take into account the return traffic of that said connection.
If both devices open/initiate connections then you naturally have to allow connections on both ACLs. But to be honest there arent that many situations where you would run into this.
- Jouni
ā05-06-2013 01:46 PM
Hi,
You can configure the capture with
access-list CAPTURE permit ip host
access-list CAPTURE permit ip host
capture CAPTURE type raw-data access-list CAPTURE interface X buffer 5000000 circular-buffer
You can use the command
show capture
To see if any traffic has hit the capture
You can use the command
show capture CAPTURE
To view the contents of the capture
- Jouni
ā05-06-2013 01:35 PM
Hi Mahesh,
This indeed seems like an issue with remote device (if it is directly connected), either device not listening on 27000 or incorrect DG on device. In a nutshell, there is no response seen to initial SYN sent by client.
Apply captures on ingress and egress and that should clarify this.
-
Sourav
ā05-06-2013 01:42 PM
hi sourav,
Thanks for confirming this that issue is with remote device.
Can you please let me know what config i need to apply for packet captures?
Thanks
mahesh
ā05-06-2013 01:46 PM
Mahesh,
Check these links which explains captures in detail:
https://supportforums.cisco.com/docs/DOC-17345
https://supportforums.cisco.com/docs/DOC-17814
-
Sourav
ā05-06-2013 01:36 PM
Hi Mahesh,
With regards to the mentioned log messages would seem that the host isnt responding to the first message that starts the TCP connection negotiation.
Also with regards to the ACL hitcount. Only the ACL from where the original connection forming comes from gets a hitcount. The return traffic doesnt generate any hitcount.
For example in this case the connection from X generates hitcount on the X access-list. IF there was return traffic then it wouldnt produce any hits on the interface Y ACL
As the ASA is a statefull device you dont have to open traffic to both direction. Just the initial direction of the connection forming.
I would start by checking the host to which you are trying to connect to for any problems.
- Jouni
ā05-06-2013 01:40 PM
Hi Jouni,
This remote device has return to interface x on some specfic port.
Say we have acl to open port 2700 and xyz on the ASA.
where port 2700 is connection to device and port xyz is the return traffic coming from that device.
Hope makes sense.
thanks for confirming that issue seems to be with remote device.
Regards
Mahesh
ā05-06-2013 01:43 PM
Hi,
I am not sure if I understood you correctly.
But in a nutshell, you only open ports in the interface ACL behind which the connections are initiated from. You wont have to take into account the return traffic of that said connection.
If both devices open/initiate connections then you naturally have to allow connections on both ACLs. But to be honest there arent that many situations where you would run into this.
- Jouni
ā05-06-2013 01:46 PM
Hi,
You can configure the capture with
access-list CAPTURE permit ip host
access-list CAPTURE permit ip host
capture CAPTURE type raw-data access-list CAPTURE interface X buffer 5000000 circular-buffer
You can use the command
show capture
To see if any traffic has hit the capture
You can use the command
show capture CAPTURE
To view the contents of the capture
- Jouni
ā05-06-2013 01:49 PM
Hi Jouni,
i will do that and will update you.
thanks
mahesh
ā05-06-2013 01:48 PM
Hi Jouni,
We open two ports on ASA for user to access the remote device.
on one port connection is build and on other port as per user return traffic comes so thats why second port is needed.
Regards
Mahesh
ā05-14-2013 06:04 PM
Hi Jouni,
Tomorrow i will test with Packet capture as the access to device is not working can you tell me what info i should look into
when i run sh capture name?
As output can be long?
Thanks
MAhesh
ā05-16-2013 11:03 AM
Hi Jouni,
Issue is fixed now.
It was routing issue.
Regards
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide