Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
816
Views
0
Helpful
11
Replies

Unable to connect to remote device

Go to solution
mahesh18
Level 6
Level 6

‎05-06-2013 01:28 PM - edited ‎03-11-2019 06:39 PM

hi everyone,

unable to connect to device on port 27000.

here are logs

: %ASA-6-302013: Built inbound TCP connection 69552007 for X:172.x.x.x/64755 (172.x.x.x/64755) to Y:172.x.x.x/27000 (172.x.x.x/27000)

%ASA-6-302014: Teardown TCP connection 69550694 for X:172.x.x.x/64753 to Y:172.x.x.x/27000 duration 0:00:30 bytes 0 SYN Timeout

i am coming from x to y interface of asa.

need to confirm if the issue is from remote  device?

ASA  log shows hit counts  while connected to server.

but for return traffic there are no hit counts?

Thanks

mahesh

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
sokakkar
Cisco Employee
Cisco Employee

‎05-06-2013 01:35 PM

Hi Mahesh,

This indeed seems like an issue with remote device (if it is directly connected), either device not listening on 27000 or incorrect DG on device. In a nutshell, there is no response seen to initial SYN sent by client.

Apply captures on ingress and egress and that should clarify this.

-

Sourav

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎05-06-2013 01:43 PM

Hi,

I am not sure if I understood you correctly.

But in a nutshell, you only open ports in the interface ACL behind which the connections are initiated from. You wont have to take into account the return traffic of that said connection.

If both devices open/initiate connections then you naturally have to allow connections on both ACLs. But to be honest there arent that many situations where you would run into this.

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎05-06-2013 01:46 PM

Hi,

You can configure the capture with

access-list CAPTURE permit ip host host

access-list CAPTURE permit ip host host

capture CAPTURE type raw-data access-list CAPTURE interface X buffer 5000000 circular-buffer

You can use the command

show capture

To see if any traffic has hit the capture

You can use the command

show capture CAPTURE

To view the contents of the capture

- Jouni

View solution in original post

0 Helpful
11 Replies 11

Go to solution
sokakkar
Cisco Employee
Cisco Employee

‎05-06-2013 01:35 PM

Hi Mahesh,

This indeed seems like an issue with remote device (if it is directly connected), either device not listening on 27000 or incorrect DG on device. In a nutshell, there is no response seen to initial SYN sent by client.

Apply captures on ingress and egress and that should clarify this.

-

Sourav

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to sokakkar

‎05-06-2013 01:42 PM

hi sourav,

Thanks for confirming this that issue is with remote device.

Can you please let me know what config  i need to apply for packet captures?

Thanks

mahesh

0 Helpful

Go to solution
sokakkar
Cisco Employee
Cisco Employee
In response to mahesh18

‎05-06-2013 01:46 PM

Mahesh,

Check these links which explains captures in detail:

https://supportforums.cisco.com/docs/DOC-17345

https://supportforums.cisco.com/docs/DOC-17814

-

Sourav

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-06-2013 01:36 PM

Hi Mahesh,

With regards to the mentioned log messages would seem that the host isnt responding to the first message that starts the TCP connection negotiation.

Also with regards to the ACL hitcount. Only the ACL from where the original connection forming comes from gets a hitcount. The return traffic doesnt generate any hitcount.

For example in this case the connection from X generates hitcount on the X access-list. IF there was return traffic then it wouldnt produce any hits on the interface Y ACL

As the ASA is a statefull device you dont have to open traffic to both direction. Just the initial direction of the connection forming.

I would start by checking the host to which you are trying to connect to for any problems.

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎05-06-2013 01:40 PM

Hi Jouni,

This remote device has return to interface x on some specfic port.

Say we have acl to open  port 2700 and xyz on the ASA.

where  port 2700 is connection to device and  port xyz is the return traffic coming from that device.

Hope makes sense.

thanks for confirming that issue seems to be with remote device.

Regards

Mahesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎05-06-2013 01:43 PM

Hi,

I am not sure if I understood you correctly.

But in a nutshell, you only open ports in the interface ACL behind which the connections are initiated from. You wont have to take into account the return traffic of that said connection.

If both devices open/initiate connections then you naturally have to allow connections on both ACLs. But to be honest there arent that many situations where you would run into this.

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎05-06-2013 01:46 PM

Hi,

You can configure the capture with

access-list CAPTURE permit ip host host

access-list CAPTURE permit ip host host

capture CAPTURE type raw-data access-list CAPTURE interface X buffer 5000000 circular-buffer

You can use the command

show capture

To see if any traffic has hit the capture

You can use the command

show capture CAPTURE

To view the contents of the capture

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎05-06-2013 01:49 PM

Hi Jouni,

i will do that and will update you.

thanks

mahesh

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎05-06-2013 01:48 PM

Hi Jouni,

We open two  ports on ASA  for user to access the remote device.

on one port connection is build and on other  port as per user return traffic comes so thats why second  port is needed.

Regards

Mahesh

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to mahesh18

‎05-14-2013 06:04 PM

Hi Jouni,

Tomorrow i will test with Packet capture as the access to device is not working can you tell me what info i should look into

when i run sh capture name?

As output can be long?

Thanks

MAhesh

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to mahesh18

‎05-16-2013 11:03 AM

Hi Jouni,

Issue is fixed now.

It was routing issue.

Regards

MAhesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card