02-21-2011 03:26 AM
Hi everyone,
I have a site to site connection from my office that is extablished already.
i can ping and connect via other ports i opened for access but cant connect via rdp to same machine i can ping.
02-21-2011 03:29 AM
Could be an MSS issue, what is the device that terminate the VPN tunnel?
If it's a router, you can configure "ip tcp adjust-mss 1300" on the LAN interface.
If it's an ASA firewall, you can configure "sysopt connection tcpmss 1300"
Hope that helps.
02-21-2011 03:29 AM
eb 21 10:52:22 10.120.0.2 :%ASA-session-2-106001: Inbound TCP connection denied from 10.120.3.31/59544 to 192.168.34.6/3389 flags SYN on interface LAN_Local
I get the error above from my inside interface when i try to connect via rdp and i have opened up the access list and still cant get it to work.
I also captured the packets on the firewall to see if anyone can help[ me interprete better and tell me what can be wrong
Urgent reply will be appreciated.
Regards
Kolade
02-21-2011 03:33 AM
Can you please share the full access-list that is applied to the inside interface?
02-21-2011 03:43 AM
Hi jennifer,
tried the mss command on the inside inetrface since it is an ASA firewall but it doesnt still work.
below is the access-list on the inetrface
access-list LAN_Local_access_in extended permit ip any host 10.1.163.2
access-list LAN_Local_access_in extended permit ip any host 10.1.16.1
access-list LAN_Local_access_in extended deny ip any MEL-LAN 255.255.0.0
access-list LAN_Local_access_in extended permit ip any host 10.120.1.110
access-list LAN_Local_access_in extended permit ip host 10.120.1.110 any
access-list LAN_Local_access_in extended permit ip host 10.120.128.11 any
access-list LAN_Local_access_in extended permit ip any any
access-list LAN_Local_access_out extended permit ip host 10.1.16.1 any
access-list LAN_Local_access_out extended permit ip any any
access-list LAN_Local_access_out extended deny ip MEL-LAN 255.255.0.0 any
access-list LAN_Local_access_out extended deny ip any MEL-LAN 255.255.0.0
02-21-2011 03:50 AM
Not sure why it's denied from the interface.
Sorry, but I would need to have a look at the full configuration as it doesn't make sense.
BTW, if we are still seeing the Deny TCP SYN error log as you attempt to RDP, then the issue is not MSS, so you can ignore my first post.
02-21-2011 04:54 AM
Attached is the ASA config.
Does my packet capture makes any sense or of any use ?
Thanks for your help
02-21-2011 07:38 AM
You removed the names section in your config, so its hard to tell what is happening, but I suspect a problem with the vpnfilter config. Does it work if you remove the vpn-filter from your group-policy?
group-policy
no vpn-filter value VPN-ELXSI-Partner
-heather
02-21-2011 07:45 AM
Hiya,
Do you mean the object gorups ?
Here are they.....
object-group network STV-LANs
network-object 10.120.0.0 255.255.0.0
network-object 89.0.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_1
network-object 10.120.0.0 255.255.0.0
network-object 89.0.0.0 255.255.0.0
object-group service VNC-TCP tcp
port-object eq 5500
port-object eq 5800
port-object eq 5900
object-group service Proxy tcp
port-object eq 8080
object-group service ProxyInternet tcp
port-object eq 8080
object-group service ActiveDirectory tcp-udp
port-object eq 1025
port-object eq 1026
port-object eq 135
port-object eq 137
port-object eq 138
port-object eq 139
port-object eq 389
port-object eq 445
port-object eq 88
port-object eq domain
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service RDP tcp
port-object eq 3389
object-group service DM_INLINE_TCP_1 tcp
group-object ActiveDirectory
group-object VNC-TCP
object-group service DM_INLINE_TCP_3 tcp
group-object ActiveDirectory
group-object VNC-TCP
object-group service DM_INLINE_TCP_4 tcp
group-object ActiveDirectory
group-object VNC-TCP
object-group network Clearcase_Servers
network-object host STV-Clearcase
network-object host UKCC03
network-object host UKCC01
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_6 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_7 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_8 tcp
port-object eq www
port-object eq https
object-group icmp-type svc_ICMP_types_allowed
description Security - ICMP types allowed in this network
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo-reply
group-object svc_ICMP_types_allowed
object-group icmp-type DM_INLINE_ICMP_2
icmp-object echo-reply
group-object svc_ICMP_types_allowed
object-group network STV_FLANS
description Stevenage Firewalled LANs
I have tried the no vpn-elxsi-partner and used the default group policy that works for other vpn but still same issue.
Thanks
02-21-2011 08:01 AM
You did this on the ARXX-EMEA-ELXSI policy right? You should disable the tunnel while you make the change to the filter and then bring it back up.
group-policy ARXX-EMEA-ELXSI attributes
no vpn-filter value VPN-ELXSI-Partner
The object groups you pasted have no information about the following names/objects that are used in your crypto map and your vpn filter:
ELXSI_LAN
UKCQ01
-heather
02-21-2011 08:25 AM
I cant disable the tunnel till later at night as it is up and people are working on it.
I will try this later at night and let u know ,thanks.
The ELXSI_LAN is the 192.168.34.0/24 where one of the hosts i am trying to rdp into resides.
The UKCQ01 is a server in my own lan subnet 10.120.x.x/16 .
02-22-2011 12:56 AM
I have tried applying the default group policy to it and it works well.
So i guess it is a problem with my access-list for the vpn-elxsi-partner,i still can not figure it out though.
Can you help me take a look at this,these are the access-lists applied to the session
he following ACL is being applied to this session:
access-list VPN-ELXSI-Partner; 13 elements; name hash: 0x6524c6f6
access-list VPN-ELXSI-Partner line 1 extended permit ip 10.120.171.0 255.255.255.0 ELXSI_LAN 255.255.255.0 (hitcnt=0) 0x057ce01e
access-list VPN-ELXSI-Partner line 2 extended permit ip ELXSI_LAN 255.255.255.0 10.120.171.0 255.255.255.0 (hitcnt=666) 0x8478b28d
access-list VPN-ELXSI-Partner line 3 extended permit tcp ELXSI_LAN 255.255.255.0 host UKCQ01 object-group DM_INLINE_TCP_8 0xd0c33280
access-list VPN-ELXSI-Partner line 3 extended permit tcp ELXSI_LAN 255.255.255.0 host UKCQ01 eq www (hitcnt=0) 0x9da27d12
access-list VPN-ELXSI-Partner line 3 extended permit tcp ELXSI_LAN 255.255.255.0 host UKCQ01 eq https (hitcnt=0) 0xffd80f08
access-list VPN-ELXSI-Partner line 4 extended permit tcp any any object-group RDP 0xcef694ab
access-list VPN-ELXSI-Partner line 4 extended permit tcp any any eq 3389 (hitcnt=1) 0xb2040fa1
access-list VPN-ELXSI-Partner line 5 extended permit icmp any any object-group svc_ICMP_types_allowed 0x7f6fdf17
access-list VPN-ELXSI-Partner line 5 extended permit icmp any any echo (hitcnt=2079) 0xd434ef06
access-list VPN-ELXSI-Partner line 5 extended permit icmp any any echo-reply (hitcnt=1166) 0x7329f9ab
access-list VPN-ELXSI-Partner line 5 extended permit icmp any any time-exceeded (hitcnt=0) 0x0af27727
access-list VPN-ELXSI-Partner line 5 extended permit icmp any any unreachable (hitcnt=0) 0xec5ac766
access-list VPN-ELXSI-Partner line 6 extended permit tcp host 192.168.34.6 host STV-FTP object-group DM_INLINE_TCP_9 0xbc45dfb7
access-list VPN-ELXSI-Partner line 6 extended permit tcp host 192.168.34.6 host STV-FTP eq ftp (hitcnt=0) 0x4edb5f88
access-list VPN-ELXSI-Partner line 6 extended permit tcp host 192.168.34.6 host STV-FTP eq ftp-data (hitcnt=0) 0x5c99b6c1
access-list VPN-ELXSI-Partner line 7 extended permit tcp host STV-FTP host 192.168.34.6 object-group DM_INLINE_TCP_10 0xe54e2bf7
access-list VPN-ELXSI-Partner line 7 extended permit tcp host STV-FTP host 192.168.34.6 eq ftp (hitcnt=0) 0xd5d7e5b4
access-list VPN-ELXSI-Partner line 7 extended permit tcp host STV-FTP host 192.168.34.6 eq ftp-data (hitcnt=0) 0xdf8153e8
Thank you
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: