Re: icmp works through vpn-tunnel, everything else SYN timeouts

Andre Eidmark · ‎06-13-2012

Hello,

hey guys. i'm having some trouble with a vpn-connection i'm trying to set up. the tunnel itself is up and running fine. i can ping over it, but all other traffic ends with a SYN timeout. same thing both ways. in logs i can see the connection being made on originating side, and i can see it on recieving end, but still ends in SYN timeout. anyong got any ideas about that? ASAs terminating both ends of the tunnel

These are 2 "show connections". One from each ASA. They are not from the same session, but they show the correct flags.

TCP outside x.x.x.x:22 inside y.y.y.y:7185, idle 0:00:01, bytes 0, flags A

TCP outside y.y.y.y:58955 inside x.x.x.x:22, idle 0:00:06, bytes 0, flags aB

This is log-messages from both sides of the tunnel. One build-msg, and the teardown message for same session, but on the other side of the tunnel.

x.x.x.x 37660 y.y.y.y 22 Built inbound TCP connection 22697 for outside:y.y.y.y/37660 (y.y.y.y/37660) to inside:x.x.x.x/22 (192.168.1.7/22)

y.y.y.y 22 y.y.y.y 37660 Teardown TCP connection 205102 for outside:x.x.x.x/22 to inside:y.y.y.y/37660 duration 0:00:30 bytes 0 SYN Timeout

access-list outside_in extended permit tcp x.x.x.0 255.255.255.0 host y.y.y.100 eq www

nat (inside,outside) source static any any destination static Jobb Jobb ### ("Jobb" = y.y.y.y)

access-list outside_cryptomap extended permit ip x.x.x.0 255.255.255.0 y.y.0.0 255.255.0.0

(this is what i consider relevant config from one of the ASAs, but it is "the same" on the other.

I'm not sure if you need to see anything else from my config(s), but if so let me know what parts, and i'll paste it in here.

Any help is much appreciated.

regards

André

Jennifer Halim · ‎06-13-2012

SYN timeout is more layer 4 issue, not able to build TCP connection. Is the host at the remote end actually getting the SYN packet? is it replying with SYN-ACK? or is the SYN-ACK being routed through the correct path (back towards the ASA)?

If ping works fine through the tunnel, it doesn't seem to be a VPN issue.

Apart from SSH, do you try any other application through the tunnel? does any other application work?

Andre Eidmark · ‎06-14-2012

Hello Jennifer, and thanks for your reply.

I have been doing some checking and i can see that acks leave the server on "site x", but i never recieve them on "y". I only have access to tcpdump on both client ends, but from that i can tell that acks are sent from the ssh-server, but never recieved by the initiator of the session. The network on this side is very simple (my home-network), so it only has one subnet on the inside, and thus only one default route.

Site y is more complex though, but i have tried simplifying a little for the purpose of finding the error. So the setup there is an ASA currently running an Anyconnect VPN setup, and also this site to site tunnel i'm trying to se up. This ASA also has a fairly simple routing-table. One outside public site and one inside private. The server i'm testing against is on this inside private network. This side is most likely where my problem is, because when i try accessing the webserver on this side, i do not even se the SYNs from the client trying to make the connection. Ping works this way too though.

The asa on this (y) side reports :

x.x.x.x 59761 y.y.y.y 80 Built inbound TCP connection 258509 for outside:x.x.x.x/59761 (x.x.x.x/59761) to inside:y.y.y.y/80 (y.y.y.y/80)

I see the same pattern when trying tftp from x to y, only this is udp, so no syns or acks, but also no connection.

I am currently trying to figure out why/where my traffic is sent wrong or dropped or whatever.

I am also going to try this with a clean ASA on side "y", to see if i get the same behaviour then.

Any ideas are welcome

regards

André