TCP Issue

Grizzelz · ‎05-10-2023

Hi Cisco Team,

I know the answer to this question but reaching out as not sure what else the issue can be.

We have a customer who uses scanner guns on the enviroment. from a packet capture say the gun is y.y.y.y and the destination is x.x.x.x on port 4003 we never ever receive a TCP FIN coming back from x.x.x.x.

Now we took the same capture and looked at other ports and those connections from a TCP point of view work fine, I am very sure this is a remote side isssue, but if the customer uses these devices at home or a device past the External Firewall it works fine.

To rule out the firewall we setup a permit IP rule for y.y.y.y to talk with x.x.x.x this still did not sort the issue, we also setup SFR bypass on the firepower module for y.y.y.y to any again did not resolve the issue, and tbh I would not have expected it to.

Does anyone have any other ideas something maybe i have missed.

70: 15:45:49.512882 x.x.x.x.4003 > y.y.y.y.41470: . 2557994275:2557995642(1367) ack 3980043660 win 190 <nop,nop,timestamp 1340342376 2456367870>
71: 15:45:49.512897 x.x.x.x.4003 > y.y.y.y.41470: P 2557995642:2557996922(1280) ack 3980043660 win 190 <nop,nop,timestamp 1340342376 2456367870>
72: 15:45:49.515003 y.y.y.y.41470 > x.x.x.x.4003: . ack 2557995642 win 141 <nop,nop,timestamp 2456368684 1340342376>
73: 15:45:49.550630 y.y.y.y.41470 > x.x.x.x.4003: . ack 2557996922 win 147 <nop,nop,timestamp 2456368720 1340342376>
74: 15:45:49.568314 y.y.y.y.41470 > x.x.x.x.4003: P 3980043660:3980045027(1367) ack 2557996922 win 147 <nop,nop,timestamp 2456368738 1340342376>
75: 15:45:49.568436 y.y.y.y.41470 > x.x.x.x.4003: P 3980045027:3980045450(423) ack 2557996922 win 147 <nop,nop,timestamp 2456368738 1340342376>
76: 15:45:49.582214 x.x.x.x.4003 > y.y.y.y.41470: . ack 3980045450 win 271 <nop,nop,timestamp 1340342446 2456368738>
77: 15:45:49.586898 x.x.x.x.4003 > y.y.y.y.41470: P 2557996922:2557997328(406) ack 3980045450 win 271 <nop,nop,timestamp 1340342450 2456368738>
78: 15:45:49.588409 y.y.y.y.41470 > x.x.x.x.4003: . ack 2557997328 win 152 <nop,nop,timestamp 2456368758 1340342450>
79: 15:45:49.633786 y.y.y.y.41470 > x.x.x.x.4003: P 3980045450:3980046817(1367) ack 2557997328 win 152 <nop,nop,timestamp 2456368803 1340342450>
80: 15:45:49.633893 y.y.y.y.41470 > x.x.x.x.4003: P 3980046817:3980047240(

MHM Cisco World · ‎05-10-2023

can you share the packet tracer for this tcp traffic ?

Grizzelz · ‎05-10-2023

I cannot add this am afraid, but we did add a rule fir the gun to any via IP and the packet tracer on the firewall confirmed we hit the rule we setup, we also could see IPS was being bypassed as we added SFR bypass rule to the ASA.

Flavio Miranda · ‎05-10-2023

Hi

The communication I see on the logs is only part of the whole conversation. The right sequence for TCP is:

SYN, SYN+ACK, ACK

And the SYN if successful or RST in case the destination refuse to communicate on that port.

Grizzelz · ‎05-10-2023

That was the Full Conversation below, I do agree TCP does not look right, I dont think the issue is our end, Aprt from bypass the SFR I can make the rule any more relaxed than it is.

Search "4003" (71 hits in 1 file of 1 searched)
new 21 (71 hits)
Line 1: 79: 15:45:49.633786 x.x.x.x.41470 > y.y.y.y.4003: P 3980045450:3980046817(1367) ack 2557997328 win 152 <nop,nop,timestamp 2456368803 1340342450>
Line 2: 80: 15:45:49.633893 x.x.x.x.41470 > y.y.y.y.4003: P 3980046817:3980047240(423) ack 2557997328 win 152 <nop,nop,timestamp 2456368803 1340342450>
Line 73: 59: 15:45:48.627378 x.x.x.x.41470 > y.y.y.y.4003: S 3980041633:3980041633(0) win 65535 <mss 1379,sackOK,timestamp 2456367796 0,nop,wscale 9>
Line 74: 60: 15:45:48.641278 y.y.y.y.4003 > x.x.x.x.41470: S 2557992479:2557992479(0) ack 3980041634 win 26847 <mss 1460,sackOK,timestamp 1340341505 2456367796,nop,wscale 8>
Line 75: 61: 15:45:48.644116 x.x.x.x.41470 > y.y.y.y.4003: . ack 2557992480 win 128 <nop,nop,timestamp 2456367813 1340341505>
Line 76: 62: 15:45:48.647076 x.x.x.x.41470 > y.y.y.y.4003: P 3980041634:3980042144(510) ack 2557992480 win 128 <nop,nop,timestamp 2456367817 1340341505>
Line 77: 63: 15:45:48.660869 y.y.y.y.4003 > x.x.x.x.41470: . ack 3980042144 win 110 <nop,nop,timestamp 1340341524 2456367817>
Line 78: 64: 15:45:48.661769 y.y.y.y.4003 > x.x.x.x.41470: P 2557992480:2557992908(428) ack 3980042144 win 110 <nop,nop,timestamp 1340341525 2456367817>
Line 79: 65: 15:45:48.663784 x.x.x.x.41470 > y.y.y.y.4003: . ack 2557992908 win 131 <nop,nop,timestamp 2456367833 1340341525>
Line 80: 66: 15:45:48.700616 x.x.x.x.41470 > y.y.y.y.4003: P 3980042144:3980043511(1367) ack 2557992908 win 131 <nop,nop,timestamp 2456367870 1340341525>
Line 81: 67: 15:45:48.700738 x.x.x.x.41470 > y.y.y.y.4003: P 3980043511:3980043660(149) ack 2557992908 win 131 <nop,nop,timestamp 2456367870 1340341525>
Line 82: 68: 15:45:48.714501 y.y.y.y.4003 > x.x.x.x.41470: . ack 3980043660 win 190 <nop,nop,timestamp 1340341578 2456367870>
Line 83: 69: 15:45:49.512867 y.y.y.y.4003 > x.x.x.x.41470: . 2557992908:2557994275(1367) ack 3980043660 win 190 <nop,nop,timestamp 1340342376 2456367870>
Line 84: 70: 15:45:49.512882 y.y.y.y.4003 > x.x.x.x.41470: . 2557994275:2557995642(1367) ack 3980043660 win 190 <nop,nop,timestamp 1340342376 2456367870>
Line 85: 71: 15:45:49.512897 y.y.y.y.4003 > x.x.x.x.41470: P 2557995642:2557996922(1280) ack 3980043660 win 190 <nop,nop,timestamp 1340342376 2456367870>
Line 86: 72: 15:45:49.515003 x.x.x.x.41470 > y.y.y.y.4003: . ack 2557995642 win 141 <nop,nop,timestamp 2456368684 1340342376>
Line 87: 73: 15:45:49.550630 x.x.x.x.41470 > y.y.y.y.4003: . ack 2557996922 win 147 <nop,nop,timestamp 2456368720 1340342376>
Line 88: 74: 15:45:49.568314 x.x.x.x.41470 > y.y.y.y.4003: P 3980043660:3980045027(1367) ack 2557996922 win 147 <nop,nop,timestamp 2456368738 1340342376>
Line 89: 75: 15:45:49.568436 x.x.x.x.41470 > y.y.y.y.4003: P 3980045027:3980045450(423) ack 2557996922 win 147 <nop,nop,timestamp 2456368738 1340342376>
Line 90: 76: 15:45:49.582214 y.y.y.y.4003 > x.x.x.x.41470: . ack 3980045450 win 271 <nop,nop,timestamp 1340342446 2456368738>
Line 91: 77: 15:45:49.586898 y.y.y.y.4003 > x.x.x.x.41470: P 2557996922:2557997328(406) ack 3980045450 win 271 <nop,nop,timestamp 1340342450 2456368738>
Line 92: 78: 15:45:49.588409 x.x.x.x.41470 > y.y.y.y.4003: . ack 2557997328 win 152 <nop,nop,timestamp 2456368758 1340342450>
Line 93: 79: 15:45:49.633786 x.x.x.x.41470 > y.y.y.y.4003: P 3980045450:3980046817(1367) ack 2557997328 win 152 <nop,nop,timestamp 2456368803 1340342450>
Line 94: 80: 15:45:49.633893 x.x.x.x.41470 > y.y.y.y.4003: P 3980046817:3980047240(423) ack 2557997328 win 152 <nop,nop,timestamp 2456368803 1340342450>
Line 95: 81: 15:45:49.647641 y.y.y.y.4003 > x.x.x.x.41470: . ack 3980047240 win 351 <nop,nop,timestamp 1340342511 2456368803>
Line 96: 82: 15:45:49.649044 y.y.y.y.4003 > x.x.x.x.41470: P 2557997328:2557997734(406) ack 3980047240 win 351 <nop,nop,timestamp 1340342512 2456368803>
Line 97: 83: 15:45:49.650875 x.x.x.x.41470 > y.y.y.y.4003: . ack 2557997734 win 157 <nop,nop,timestamp 2456368820 1340342512>
Line 98: 84: 15:45:49.689798 x.x.x.x.41470 > y.y.y.y.4003: P 3980047240:3980048607(1367) ack 2557997734 win 157 <nop,nop,timestamp 2456368859 1340342512>
Line 99: 85: 15:45:49.689920 x.x.x.x.41470 > y.y.y.y.4003: P 3980048607:3980048990(383) ack 2557997734 win 157 <nop,nop,timestamp 2456368859 1340342512>
Line 100: 86: 15:45:49.703805 y.y.y.y.4003 > x.x.x.x.41470: . ack 3980048990 win 425 <nop,nop,timestamp 1340342567 2456368859>
Line 112: 98: 15:45:54.705545 x.x.x.x.41470 > y.y.y.y.4003: P 3980048990:3980050357(1367) ack 2557997734 win 157 <nop,nop,timestamp 2456373875 1340342567>
Line 113: 99: 15:45:54.705667 x.x.x.x.41470 > y.y.y.y.4003: P 3980050357:3980050830(473) ack 2557997734 win 157 <nop,nop,timestamp 2456373875 1340342567>
Line 114: 100: 15:45:54.719384 y.y.y.y.4003 > x.x.x.x.41470: . ack 3980050830 win 425 <nop,nop,timestamp 1340347583 2456373875>
Line 115: 101: 15:45:59.767477 x.x.x.x.41470 > y.y.y.y.4003: P 3980050830:3980052197(1367) ack 2557997734 win 157 <nop,nop,timestamp 2456378937 1340347583>
Line 116: 102: 15:45:59.767599 x.x.x.x.41470 > y.y.y.y.4003: P 3980052197:3980052670(473) ack 2557997734 win 157 <nop,nop,timestamp 2456378937 1340347583>
Line 117: 103: 15:45:59.781301 y.y.y.y.4003 > x.x.x.x.41470: . ack 3980052670 win 425 <nop,nop,timestamp 1340352645 2456378937>
Line 125: 111: 15:46:04.777318 x.x.x.x.41470 > y.y.y.y.4003: P 3980052670:3980054037(1367) ack 2557997734 win 157 <nop,nop,timestamp 2456383947 1340352645>
Line 126: 112: 15:46:04.777440 x.x.x.x.41470 > y.y.y.y.4003: P 3980054037:3980054510(473) ack 2557997734 win 157 <nop,nop,timestamp 2456383947 1340352645>
Line 127: 113: 15:46:04.791173 y.y.y.y.4003 > x.x.x.x.41470: . ack 3980054510 win 425 <nop,nop,timestamp 1340357654 2456383947>
Line 130: 116: 15:46:09.795765 x.x.x.x.41470 > y.y.y.y.4003: P 3980054510:3980055877(1367) ack 2557997734 win 157 <nop,nop,timestamp 2456388965 1340357654>
Line 131: 117: 15:46:09.795872 x.x.x.x.41470 > y.y.y.y.4003: P 3980055877:3980056300(423) ack 2557997734 win 157 <nop,nop,timestamp 2456388965 1340357654>
Line 132: 118: 15:46:09.809574 y.y.y.y.4003 > x.x.x.x.41470: . ack 3980056300 win 425 <nop,nop,timestamp 1340362673 2456388965>
Line 154: 140: 15:46:14.803974 x.x.x.x.41470 > y.y.y.y.4003: P 3980056300:3980057667(1367) ack 2557997734 win 157 <nop,nop,timestamp 2456393973 1340362673>
Line 155: 141: 15:46:14.804081 x.x.x.x.41470 > y.y.y.y.4003: P 3980057667:3980058090(423) ack 2557997734 win 157 <nop,nop,timestamp 2456393973 1340362673>
Line 156: 142: 15:46:14.817828 y.y.y.y.4003 > x.x.x.x.41470: . ack 3980058090 win 425 <nop,nop,timestamp 1340367681 2456393973>
Line 157: 143: 15:46:19.864838 x.x.x.x.41470 > y.y.y.y.4003: P 3980058090:3980059457(1367) ack 2557997734 win 157 <nop,nop,timestamp 2456399030 1340367681>
Line 158: 144: 15:46:19.864869 x.x.x.x.41470 > y.y.y.y.4003: P 3980059457:3980059880(423) ack 2557997734 win 157 <nop,nop,timestamp 2456399030 1340367681>
Line 159: 145: 15:46:19.879333 y.y.y.y.4003 > x.x.x.x.41470: . ack 3980059880 win 425 <nop,nop,timestamp 1340372742 2456399030>
Line 160: 146: 15:46:24.940472 x.x.x.x.41470 > y.y.y.y.4003: P 3980059880:3980061247(1367) ack 2557997734 win 157 <nop,nop,timestamp 2456404110 1340372742>
Line 161: 147: 15:46:24.940548 x.x.x.x.41470 > y.y.y.y.4003: P 3980061247:3980061720(473) ack 2557997734 win 157 <nop,nop,timestamp 2456404110 1340372742>
Line 162: 148: 15:46:24.954311 y.y.y.y.4003 > x.x.x.x.41470: . ack 3980061720 win 425 <nop,nop,timestamp 1340377817 2456404110>
Line 262: 248: 15:47:53.020277 x.x.x.x.41470 > y.y.y.y.4003: P 3980061720:3980063087(1367) ack 2557997734 win 157 <nop,nop,timestamp 2456492189 1340377817>
Line 263: 249: 15:47:53.020384 x.x.x.x.41470 > y.y.y.y.4003: P 3980063087:3980063430(343) ack 2557997734 win 157 <nop,nop,timestamp 2456492189 1340377817>
Line 264: 250: 15:47:53.034101 y.y.y.y.4003 > x.x.x.x.41470: . ack 3980063430 win 425 <nop,nop,timestamp 1340465896 2456492189>
Line 273: 259: 15:47:58.073345 x.x.x.x.41470 > y.y.y.y.4003: P 3980063430:3980064797(1367) ack 2557997734 win 157 <nop,nop,timestamp 2456497242 1340465896>
Line 274: 260: 15:47:58.073513 x.x.x.x.41470 > y.y.y.y.4003: P 3980064797:3980066128(1331) ack 2557997734 win 157 <nop,nop,timestamp 2456497242 1340465896>
Line 275: 261: 15:47:58.087245 y.y.y.y.4003 > x.x.x.x.41470: . ack 3980066128 win 425 <nop,nop,timestamp 1340470949 2456497242>
Line 276: 262: 15:48:03.112634 x.x.x.x.41470 > y.y.y.y.4003: P 3980066128:3980067495(1367) ack 2557997734 win 157 <nop,nop,timestamp 2456502282 1340470949>
Line 277: 263: 15:48:03.112710 x.x.x.x.41470 > y.y.y.y.4003: P 3980067495:3980067918(423) ack 2557997734 win 157 <nop,nop,timestamp 2456502282 1340470949>
Line 278: 264: 15:48:03.126504 y.y.y.y.4003 > x.x.x.x.41470: . ack 3980067918 win 425 <nop,nop,timestamp 1340475988 2456502282>
Line 287: 273: 15:48:08.170386 x.x.x.x.41470 > y.y.y.y.4003: P 3980067918:3980069285(1367) ack 2557997734 win 157 <nop,nop,timestamp 2456507338 1340475988>
Line 288: 274: 15:48:08.170477 x.x.x.x.41470 > y.y.y.y.4003: P 3980069285:3980069668(383) ack 2557997734 win 157 <nop,nop,timestamp 2456507338 1340475988>
Line 289: 275: 15:48:08.184179 y.y.y.y.4003 > x.x.x.x.41470: . ack 3980069668 win 425 <nop,nop,timestamp 1340481046 2456507338>
Line 517: 140: 15:46:14.803974 x.x.x.x.41470 > y.y.y.y.4003: P 3980056300:3980057667(1367) ack 2557997734 win 157 <nop,nop,timestamp 2456393973 1340362673>
Line 518: 141: 15:46:14.804081 x.x.x.x.41470 > y.y.y.y.4003: P 3980057667:3980058090(423) ack 2557997734 win 157 <nop,nop,timestamp 2456393973 1340362673>
Line 519: 142: 15:46:14.817828 y.y.y.y.4003 > x.x.x.x.41470: . ack 3980058090 win 425 <nop,nop,timestamp 1340367681 2456393973>
Line 520: 143: 15:46:19.864838 x.x.x.x.41470 > y.y.y.y.4003: P 3980058090:3980059457(1367) ack 2557997734 win 157 <nop,nop,timestamp 2456399030 1340367681>
Line 521: 144: 15:46:19.864869 x.x.x.x.41470 > y.y.y.y.4003: P 3980059457:3980059880(423) ack 2557997734 win 157 <nop,nop,timestamp 2456399030 1340367681>
Line 522: 145: 15:46:19.879333 y.y.y.y.4003 > x.x.x.x.41470: . ack 3980059880 win 425 <nop,nop,timestamp 1340372742 2456399030>
Line 523: 146: 15:46:24.940472 x.x.x.x.41470 > y.y.y.y.4003: P 3980059880:3980061247(1367) ack 2557997734 win 157 <nop,nop,timestamp 2456404110 1340372742>
Line 524: 147: 15:46:24.940548 x.x.x.x.41470 > y.y.y.y.4003: P 3980061247:3980061720(473) ack 2557997734 win 157 <nop,nop,timestamp 2456404110 1340372742>

Flavio Miranda · ‎05-10-2023

This logs is probably result of a filter right? because you can not see the initiation either the end of the TCP session.

But communication in both way seems to be happing as we can see this:

ine 519: 142: 15:46:14.817828 y.y.y.y.4003 > x.x.x.x.41470: . ack 3980058090 win 425 <nop,nop,timestamp 1340367681 2456393973>
Line 520: 143: 15:46:19.864838 x.x.x.x.41470 > y.y.y.y.4003: P 3980058090:3980059457(1367) ack 2557997734 win 157 <nop,nop,timestamp 2456399030 1340367681>

the 4003 port as source and as destination