Solved: Syn Timeout Traffic From VPNPool

Oscar Madrigal · ‎09-11-2012

Hello i know theres a lot topics about the subject but i been reading since past 2 weeks and i cant find my solution.

My VPN Cisco client connects to the ASA 5510 and everything looks good but when i try send traffic(RDP) nevers connects and the logs shows a syn timeout. Here is my Configuration i really appreciated any help

ASA Version 8.2(1)

!

hostname xxx

domain-name xxxx

enable password g.wfzl577L4IVnRL encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 201.199.135.x 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.1.1.x 255.255.255.0

!

interface Ethernet0/2

no nameif

security-level 100

ip address 192.168.30.x 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa821-k8.bin

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server xx

domain-name xxxxx

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inbound extended deny ip object-group Deny_Access any

access-list inbound extended permit tcp any object-group web-servers object-group web-ports

access-list inbound extended permit tcp 209.200.128.0 255.255.192.0 host 201.199.135.x object-group web-ports

access-list outbound extended permit ip object-group trusted any

access-list outbound extended permit tcp object-group web-servers any object-group web-ports

access-list outbound extended permit tcp 10.1.1.0 255.255.255.0 any object-group general-access

access-list outbound extended permit tcp host 201.199.135.xx any object-group web-ports

access-list inside_access_in extended permit ip object-group trusted any log disable

access-list inside_access_in extended permit ip object-group DNS-Servers any log disable

access-list inside_access_in extended permit udp host WEB3 any eq ntp inactive

access-list inside_access_in extended permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list ISA_access_in extended permit object-group Ports host 192.168.30.7 any

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list Split_Tunnel_List standard permit 10.1.1.0 255.255.255.0

pager lines 24

logging enable

logging list configLog level debugging class auth

logging list configLog level debugging class config

logging list system-IDSLog level informational class ids

logging list system-IDSLog level informational class sys

logging buffer-size 10000

logging asdm informational

logging from-address xxxx

logging recipient-address xxxxx level notifications

no logging message 111008

no logging message 111007

mtu outside 1500

mtu inside 1500

mtu ISA 1500

mtu management 1500

ip local pool VPN-POOL 192.168.3.2-192.168.3.254 mask 255.255.255.0

ip audit name attackPolicy attack action alarm drop

ip audit name antiSnifferPolicy info action drop

ip audit interface outside attackPolicy

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (ISA) 1 201.199.135.xx netmask 255.255.255.248

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.1.1.0 255.255.255.0

nat (ISA) 1 192.168.30.0 255.255.255.0

static (inside,outside) 201.199.xxx.xx WEB3 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group ISA_access_in in interface ISA

route outside 0.0.0.0 0.0.0.0 201.199.135.113 1

route inside 0.0.0.0 0.0.0.0 10.1.1.3 tunneled

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.1.1.0 255.255.255.0 inside

snmp-server host inside 10.1.1.56 community

snmp-server host inside 10.1.1.18 community

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

service resetinbound interface ISA

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=xxx.xxxxxx

keypair sslvpnkeypair

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate 6ef8fc4f

308201f3 3082015c a0030201 0202046e f8fc4f30 0d06092a 864886f7 0d010105

0500303e 311a3018 06035504 03131149 4345332e 646f746e 65742e63 6f2e6372

3120301e 06092a86 4886f70d 01090216 11494345 332e646f 746e6574 2e636f2e

6372301e 170d3132 30393035 31333435 35345a17 0d323230 39303331 33343535

345a303e 311a3018 06035504 03131149 4345332e 646f746e 65742e63 6f2e6372

3120301e 06092a86 4886f70d 01090216 11494345 332e646f 746e6574 2e636f2e

63723081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100e4

52687fe4 bc46d95c bb14cb51 c9ba2757 692683e2 315fb2cb 585c9785 295e9090

88dea89d 5a1497f5 49107a1f ea35d71b fd05d9ff 68766519 652f1ff9 d19dc584

310312b2 b369673f 70db355a 8d1e0a5e 4c825c27 7ad5e4f6 d36cbda7 b4ad77a5

f490d942 2ef2488a bcb97b3f 5795bbcd 5f5b5c5a ff965272 2c8deaa5 2aa78902

03010001 300d0609 2a864886 f70d0101 05050003 818100aa c1a3301a ec3898ac

18699233 9aa26005 ad6c326f 51228c6b ba6a91e8 2ac79a0c 2af687c1 17bce83f

bbf94b0e e6f09977 fad72c47 96d206ed c1157e67 79862e20 9f28cfa1 739c0fa2

81272d5d a7124fc0 f95904db 72eacc9a 772208e2 1edba72b 618ed8dc d3c1b8f7

5047604e f767eaf1 7ee5ed95 79ef9184 db62bcfb b71e6f

quit

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet timeout 5

ssh 10.1.1.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

console timeout 0

dhcpd address 192.168.30.5-192.168.30.20 ISA

dhcpd dns 4.2.2.2 200.91.75.5 interface ISA

dhcpd enable ISA

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

enable inside

svc image disk0:/anyconnect-win-2.5.2019-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

group-policy VPNGP internal

group-policy VPNGP attributes

wins-server none

dns-server value 10.1.1.11 10.1.1.16

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_List

default-domain value dotnet.co.cr

address-pools value VPN-POOL

username xxxx password gsUajqpee0ffkhsw encrypted

username xx password Wl5xhq9rOjTEyzHN encrypted privilege 15

username xxvpn password 9tblNqPJ2.cWaLSD encrypted

username xxvpn attributes

service-type remote-access

tunnel-group AnyConnect type remote-access

tunnel-group AnyConnect general-attributes

default-group-policy VPNGP

tunnel-group AnyConnect webvpn-attributes

group-alias VPN enable

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

!

service-policy global_policy global

smtp-server 10.1.1.20

prompt hostname context

Cryptochecksum:9720306792f52eac533976d69f0f3daa

: end

Thanks

Javier Portuguez · ‎09-12-2012

Hi Oscar,

The configuration seems to be fine.

At this point lets troubleshoot the VPN communication.

The SYN timeout means that the server does not repond, or the SYN ACK never reached the ASA.

We need to place a packet capture on the inside interface as follows:

capture capin interface inside match ip 10.1.1.0 255.255.255.0 192.168.3.0 255.255.255.0

Then you try to access the server via RDP and issue the "show capture capin" command.

Another good test would be the following:

packet-tracer input inside icmp 10.1.1.250 8 0 192.168.3.1 detail ---> where the 192.168.3.1 must be the IP of the VPN client

Attach the output of the "show capture capin" and "packet-tracer" output.

Let me know.

Portu.

Please rate any post you find useful.

View solution in original post

Javier Portuguez · ‎09-12-2012

Oscar,

This is the example:

access-list VPN_NAT permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0

nat (outside) 10 access-list VPN_NAT outside

global (inside) 10 interface

That should do it.

Let me know

Portu.

Please rate any post you find useful.

View solution in original post

Javier Portuguez · ‎09-12-2012

Hi Oscar,

The configuration seems to be fine.

At this point lets troubleshoot the VPN communication.

The SYN timeout means that the server does not repond, or the SYN ACK never reached the ASA.

We need to place a packet capture on the inside interface as follows:

capture capin interface inside match ip 10.1.1.0 255.255.255.0 192.168.3.0 255.255.255.0

Then you try to access the server via RDP and issue the "show capture capin" command.

Another good test would be the following:

packet-tracer input inside icmp 10.1.1.250 8 0 192.168.3.1 detail ---> where the 192.168.3.1 must be the IP of the VPN client

Attach the output of the "show capture capin" and "packet-tracer" output.

Let me know.

Portu.

Please rate any post you find useful.

Oscar Madrigal · ‎09-12-2012

Thanks for your help and yes with capture let me see the ACK wasnt getting and reason was easy we heritage a network topology with multiple gateways so when i try RDP or something else with server with different gateway as the VPN ASA of course i dont get response. So i was wondering if there is any way to fix this problem?? at least i know what is going on thank you

Javier Portuguez · ‎09-12-2012

Oscar,

Thanks for rating my last post.

Another option is to translate the VPN clients to the inside interface of the FW, so you do not need to deal with internal routing.

May I know the code version of your ASA?

Thanks.

Oscar Madrigal · ‎09-12-2012

Yes is 8.2(5). Can you give exmaple of the translation please

Javier Portuguez · ‎09-12-2012

Oscar,

This is the example:

access-list VPN_NAT permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0

nat (outside) 10 access-list VPN_NAT outside

global (inside) 10 interface

That should do it.

Let me know

Portu.

Please rate any post you find useful.

Oscar Madrigal · ‎09-12-2012

Excellent can ask for more all is working now. You been great thanks for your help

Javier Portuguez · ‎09-12-2012

Great news

You are welcome!

Thanks for counting on Cisco!

Portu.

Oscar Madrigal · ‎09-13-2012

Hey Javier one more question i have everything working just great just one more problem. We use a software we need workers use from home and it send a file from there computers to one server inside our LAN. But when it try to do it nerver arrives and the logs show me this error

302014

192.168.3.x

50712

10.1.1.x

445

Teardown TCP connection 438098 for outside:192.168.3.x/50712 to inside:10.1.1.x/445 duration 0:00:00 bytes 1547 TCP Reset-O (boss)

I use wireshark on the server and it gives an error sending the SYN-ACK to the ASA how can i fix this problem thanks.