05-12-2011 07:27 AM - edited 03-06-2019 05:01 PM
Hi,
I am installing a new firewall ASA 5510 and I have a specific problem with Http Connection in the LAN to receive a video Flow from a security camera.
Users usually receive the video flow via VLC using a web access : http://ip_camera/axis-cgi/mjpg/video.cgi?resolution=320x2 ...
The problem is that :
- PC users using ASA Lan Interface as gateway can ping the Video Camera but don't receive the video flow. ( Frames captured with Wireshark indicate : Acked Lost Segment or Broken TCP )
- On the Contrary , PC users using another gateway can ping and receive the video flow.( Frames captured with Wireshark indicate : TCP segment of a reassembled PDU )
So i'am wondering if ASA has the possiblity to fragment packets larger than MTU to retransmission because I think it's an ASA TCP Problem. And What are the meaning of the "Timeout tcp-proxy-reassembly" option ?
I've already Check ACL.
Thank you.
05-12-2011 09:52 AM
Hi,
Which OS version of ASA are you using?
Did you try to adjust tcp-mss on ASA?
HTH,
Toshi
05-12-2011 10:20 AM
TCP timeout reassmebly = The packets waiting in the buffer for reassmebly are dropped after the default time of 1 minute. you can increase this timer as per your needs using :-
asa(config)#timeout tcp-proxy-reassembly ?
Please post the show logging output with these errors, it could be possible that large packets ( fragmented ) are waiting to be reassembled for a longer period than one minute and are being dropped.
Manish
05-13-2011 01:29 AM
Hi,
I am using ASA 8.2 and I don't try to adjust tcp-mss.
I have just read that mss range is from 500 to 1460. What is the default value when we don't adjust this parameter ? and What's the correct value I should set according to my problem ?
Thanks.
05-13-2011 12:00 PM
Hi,
The default value is 1380. I just want you to try the following command.
!
ASA(config)# sysopt connection tcpmss 1200
!
You might read the following document already.
Ref: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml
HTH,
Toshi
05-16-2011 02:17 AM
Ok I will Try.
However I don't have this Message on the ASDM Logs :
%ASA-4-419001: Dropping TCP packet from outside:192.168.x.x/80 to
inside:192.168.x.x/1025, reason: MSS exceeded, MSS 460, data 1440
So I don't know yet if it is really a MSS problem...
I ve read a document which explain that the tcpmss command forces the size of the TCP segments to a small value during TCP's initialization sequence.
If the problem go on, i should set a lower value than 1200, isn't it ?
What About the value : exceed-mss allow ? I don't really understand the difference.
Thank you.
05-16-2011 03:07 AM
I would start with ASA's inspection profile:
service-policy global_policy global
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect http
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
Disable any HTTP inspection; then use capture feature on ASA and see what really happens when using that video flow/stream.
05-25-2011 08:32 AM
Hi,
HTTP inspection is disabled, I changed several TCP parameters as tcpmss, ip fragment,timeout tcp proxy reassemble but it still the same problem and i joined the Logs captured with ASDM.
This the ADSM error log message :
106015: Deny TCP (no connection) from IP_address/port to IP_address/port flags tcp_flags on interface interface_name.
The adaptive security appliance discarded a TCP packet that has no associated connection in the adaptive security appliance connection table. The adaptive security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the adaptive security appliance discards the packet.
I Don't understand why I can't connect to the camera web interface with Http whereas I can Ping it.
Any Others Ideas ?
Thank you.
05-25-2011 05:19 PM
Hi,
can I be a bit pedantic and ask if the rules are properly applied. I mean the acl's for the respective ports are applied to the right interface.
Can you telnet to that box using port 80 from those machines? icmp is generally allowed to test L3 reachability.
HTH
Regards,
Kishore
05-26-2011 01:32 AM
Yes The ACL are Correct. I used Packet Tracert. ICMP,HTTP are allowed
I don't Try Telnet to the Camera using Port 80.
05-26-2011 01:40 AM
Can you please try to telnet using port 80 and see the logs on the ASA?
just type " telnet
05-26-2011 05:41 AM
Ok but What's the purpose to know the result of this command ?
05-31-2011 07:43 AM
I'am analysing the frames when it works and when it doesn't work. There is one parameters that change : " Windows Scale ".
192.168.1.121 192.168.4.20 TCP 49741 > http [SYN] Seq=0 win 8192 Len=0 MSS=1460 WS=2
192.168.1.254 192.168.1.121 (ICMP Redirect for Host)
192.168.4.20 192.168.1.121 TCP http > 49741 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=1
In the Frame Detail :
Windows Scale :2 ( multiply by 4 )
I don't have this parameters in the frame when it doesn't work :
192.168.1.121 192.168.4.20 TCP l2f > http [SYN] Seq=0 win 65535 Len=0 MSS=1460
192.168.4.20 192.168.1.121 TCP [TCP Acked Lost Segment] Http > l2f [SYN,ACK] Seq=0 Ack= 1278274611 win=5840 Len=0 MSS=1460
Is it a possibility that the ASA Block the windows Scale option ?
Thank You.
05-04-2012 11:21 AM
avb avb,
Did you ever fing a solution?
Thanks,
AA
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: