Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9054
Views
0
Helpful
2
Replies

ASA Deny no connection flags RST on interface outside

Go to solution
vizvoxadmin
Level 1
Level 1

‎09-22-2017 11:32 AM - edited ‎03-18-2019 01:29 PM

Hello I have installed VCS Express 8.10.1, following basic configuration guide with Dual Nics. For network I have 2 ASAs one on the outside, one on the inside. I have configured both ASAs following the instructions from the Guide "ASA NAT Configuration and Recommendations for Expressway-E and Expressway-C Dual Network Interfaces Implementation. by Christian Hernandez and Cesar Lopez Zamarripa, Cisco TAC Engineers. "

 

When I try to login with my Jabber client from the outside I am seeing a 

""ASA Deny no connection from Jabber Public IP to Express Public IP flags RST on interface outside""

 

I have rebuild several times following exact steps, does anybody have a clue of where to look next?

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
vizvoxadmin
Level 1
Level 1
In response to Zoltan Kelemen

‎10-06-2017 09:24 AM

Thanks for the reply Zoltan, I was hesitant to reply right away, because though I knew you where right that this needs to be in the firewall group, I just really feel that it will be lost in the firewall group, if its directly releated to VCS. Which in this case it really was not even VCS or the ASA.

 

Heres my take on what happened and how I fixed it. I am no expert so feel free to correct me in my explaination. 

 

When the Jabber client connected to the outside VCSE, it passed down the chain finally ending up at the IMP server which when it tried to setup the user, it had no user for the sip domain, the VCSC was asking for, so in the mean time the Jabber client only know that it cannot connect the the server but still has a connection open, meanwhile the VCSE has already closed the connection, and the ASA now has a no connection attempt in its table.

 

How I fixed it was that my Domain was sip.local, but my imp server default domain was set to im.sip.local, which in the gui was Presence>Settings>Advanced Configuration it clearly showed that the default domain was set to "im.sip.local"meaning it was trying match Testuser@im.sip.local instead of Testuser@sip.local.

 

So I stopped the list of services, changed the Domain Name to "Sip.local" I also made sure that the "Enterprise Parameters"where set to Top Level Domain "sip.local " and FQDN was set to *.sip.local then I restarted the IMP server, and just like magic it worked. 

 

So it really was not an ASA problem, or a VCS problem, it was a IMP Domain configuration problem, but you will only see it, if it is misconfigured when you go to use your Jabber client Outside of the network. INSIDE the NETWORK, Jabber WORKED FINE, with the misconfiguration. Only when you are trying to use VCS for outside connectivity is when you will see this error on your ASA. Well of coarse unless you really do have a no connection table error that is. 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Zoltan Kelemen
Cisco Employee
Cisco Employee

‎09-25-2017 10:37 AM

Hi,

 

getting a RST on your firewall's public interface means the port is still firewalled.

I would suggest asking in the Security / Firewall community forums how to ensure the appropriate ports are open, NAT is configured correctly etc.

Depending on what service you are trying to use on your Expressways, there may be different port requirements. See this guide for details: Expressway IP Port Usage for Firewall Traversal Deployment guide, X8.10 version

As a sidenote, make sure that SIP (or H323) inspection is disabled for Expressway traffic. however if you are getting RST, you're still not there yet.

0 Helpful

Go to solution
vizvoxadmin
Level 1
Level 1
In response to Zoltan Kelemen

‎10-06-2017 09:24 AM

Thanks for the reply Zoltan, I was hesitant to reply right away, because though I knew you where right that this needs to be in the firewall group, I just really feel that it will be lost in the firewall group, if its directly releated to VCS. Which in this case it really was not even VCS or the ASA.

 

Heres my take on what happened and how I fixed it. I am no expert so feel free to correct me in my explaination. 

 

When the Jabber client connected to the outside VCSE, it passed down the chain finally ending up at the IMP server which when it tried to setup the user, it had no user for the sip domain, the VCSC was asking for, so in the mean time the Jabber client only know that it cannot connect the the server but still has a connection open, meanwhile the VCSE has already closed the connection, and the ASA now has a no connection attempt in its table.

 

How I fixed it was that my Domain was sip.local, but my imp server default domain was set to im.sip.local, which in the gui was Presence>Settings>Advanced Configuration it clearly showed that the default domain was set to "im.sip.local"meaning it was trying match Testuser@im.sip.local instead of Testuser@sip.local.

 

So I stopped the list of services, changed the Domain Name to "Sip.local" I also made sure that the "Enterprise Parameters"where set to Top Level Domain "sip.local " and FQDN was set to *.sip.local then I restarted the IMP server, and just like magic it worked. 

 

So it really was not an ASA problem, or a VCS problem, it was a IMP Domain configuration problem, but you will only see it, if it is misconfigured when you go to use your Jabber client Outside of the network. INSIDE the NETWORK, Jabber WORKED FINE, with the misconfiguration. Only when you are trying to use VCS for outside connectivity is when you will see this error on your ASA. Well of coarse unless you really do have a no connection table error that is. 

0 Helpful
Customers Also Viewed These Support Documents