Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
784
Views
0
Helpful
5
Replies

ASA 5505

JimPliss52519
Level 1
Level 1

‎11-18-2020 08:53 AM

Currently have a cisco ASA 5505 Cisco Adaptive Security Appliance Software Version 9.2(4)25

I have an object for a backend server pointed to the internal private IP of the server

Server is an Ubuntu 20.04 running the latest HAproxy service. Load balancing 2 sites to 2 different backend hosts

1 nat statement natting external to internal object with an allow for 80 and 443 only

 

Issue:

The traffic hits external natted to internal and the traffic is passed an allowed

I then see the traffic come back to the ASA and all works as expected.

After a indeterminant amount of time the ASA inbound traffic sends to the inside host we start seeing a 0 TCP Reset-O and a following duration 0:00:30 bytes 0 SYN timeout

 

If we restart the host server the traffic seems to pass with zero issues for a while and then does it again.

 

I have looked into setting the host keepalives. This does not seem to help the problem any.

 

We have pointed the same nat to a MAC with haproxy running and exhibited no issues.

 

We have tried CentOS, Ubuntu 20.04, 18.04 and they all seem to exhibit this issue.

 

Our Nat to windows on 80 and 443 seem to work just fine with zero issues.

 

Wondering if anyone has seen this issue before

 

Thank you for any input anyone could provide

Labels:
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎11-18-2020 11:53 AM

May sounds like some proxy-arp issue - may be ,  since we do not know how your reverse proxy configured (ha proxy)

 

try no proxy-arp and see if that resolves 

 

example :

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116388-technote-nat-00.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

JimPliss52519
Level 1
Level 1

‎11-19-2020 09:28 AM

We will test that and see what happens.

 

 

0 Helpful

JimPliss52519
Level 1
Level 1
In response to JimPliss52519

‎11-20-2020 10:46 AM

OK so it looks like I had the no proxy-arp on the object not on the NAT.

I removed the no proy-arp on the object and added it to the NAT rule.

It appears the same issue exists and once I reset the TCP stack on the linux machine everything works for a while. No set time.

Just as an FYI working on this issue we did set the keepalive on the linux system

 

net.ipv4.tcp.net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 10

 

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎11-20-2020 04:05 PM

Linux HAproxy tweaking also required as you have done now by doing that is the resolved?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

JimPliss52519
Level 1
Level 1
In response to balaji.bandi

‎11-23-2020 11:44 AM - edited ‎11-23-2020 11:45 AM

I am not aware of any haproxy tweaking needed. Can you point me to a link or some documentation that would help me with those tweaks needed ?

 

These are the only tweaks we have made to the linux OS

 

net.ipv4.tcp.net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 10

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents