Re: NetBios SMB Packets do not pass

elecorbalan · ‎12-01-2008

Hello,

I have configured IPSec VPN, and connections succeed, but the traffic is too slow.

I have realized that when the client access to a shared folder server, it succeeds, but when I click on right button to see properties on a file, it takes at leas 3 min to have the answer.

I have done a capture and I see that there are NetBios SMB packets thet the ASA receives on inside interface, but apparently, the client doesn't receives these packets until 3 minutes later. I think anything else is happening thith the slow traffic for other applications.

My capture is:

1264: 12:15:12.870484 10.0.0.161.445 > 10.0.0.29.1140: . 777206108:777207368(1260) ack 837598730 win 5840

1265: 12:15:12.870590 10.0.0.161.445 > 10.0.0.29.1140: . 777207368:777208628(1260) ack 837598730 win 5840

1266: 12:15:12.870697 10.0.0.161.445 > 10.0.0.29.1140: . 777208628:777209888(1260) ack 837598730 win 5840

1267: 12:15:12.870743 10.0.0.161.445 > 10.0.0.29.1140: P 777209888:777210267(379) ack 837598730 win 5840

1268: 12:15:13.248964 10.0.0.29.1140 > 10.0.0.161.445: . ack 777208628 win 17640

1269: 12:15:13.249971 10.0.0.29.1140 > 10.0.0.161.445: . ack 777210267 win 17640

1270: 12:15:13.250124 10.0.0.29.1140 > 10.0.0.161.445: P 837598730:837598793(63) ack 777210267 win 17640

1271: 12:15:13.250643 10.0.0.161.445 > 10.0.0.29.1140: . 777210267:777211527(1260) ack 837598793 win 5840

1272: 12:15:13.250765 10.0.0.161.445 > 10.0.0.29.1140: . 777211527:777212787(1260) ack 837598793 win 5840

1273: 12:15:13.250872 10.0.0.161.445 > 10.0.0.29.1140: . 777212787:777214047(1260) ack 837598793 win 5840

1274: 12:15:13.250902 10.0.0.161.445 > 10.0.0.29.1140: P 777214047:777214426(379) ack 837598793 win 5840

I pass a configuration:

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 --.74.49 1

dynamic-access-policy-record DfltAccessPolicy

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

group-policy TunelVPN internal

group-policy TunelVPN attributes

dns-server value 10.0.0.9

vpn-tunnel-protocol IPSec

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

bwilmoth · ‎12-05-2008

Use the ping command to check the network or find whether the application server is reachable from your network. It can be a problem with the maximum segment size (MSS) for transient packets that traverse a router or PIX/ASA device, specifically TCP segments with the SYN bit set.