VPN is up but the application is failing

pax_2111 · ‎01-30-2003

Hi,

I have a very strange situation. I have configured a VPN between two networks but a TCP application that should run through the tunnel is failing. The remote end is sending RST to the SYN. Below is the output of the network dump. I tried to reduce the MTU but with no success (the application runs through Cisco VPN client using dialup).

any clues what might be wrong? Thanx in advance.

----------------------------------------

Internet Protocol, Src Addr: 10.160.196.130 (10.160.196.130), Dst Addr: 57.206.114.200 (57.206.114.200)

Version: 4

Header length: 20 bytes

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

0000 00.. = Differentiated Services Codepoint: Default (0x00)

.... ..0. = ECN-Capable Transport (ECT): 0

.... ...0 = ECN-CE: 0

Total Length: 48

Identification: 0x013e

Flags: 0x04

.1.. = Don't fragment: Set

..0. = More fragments: Not set

Fragment offset: 0

Time to live: 128

Protocol: TCP (0x06)

Header checksum: 0x7dd1 (correct)

Source: 10.160.196.130 (10.160.196.130)

Destination: 57.206.114.200 (57.206.114.200)

Transmission Control Protocol, Src Port: 1067 (1067), Dst Port: 5010 (5010), Seq: 148829501, Ack: 0, Len: 0

Source port: 1067 (1067)

Destination port: 5010 (5010)

Sequence number: 148829501

Header length: 28 bytes

Flags: 0x0002 (SYN)

0... .... = Congestion Window Reduced (CWR): Not set

.0.. .... = ECN-Echo: Not set

..0. .... = Urgent: Not set

...0 .... = Acknowledgment: Not set

.... 0... = Push: Not set

.... .0.. = Reset: Not set

.... ..1. = Syn: Set

.... ...0 = Fin: Not set

Window size: 64512

Checksum: 0xf58c (correct)

Options: (8 bytes)

Maximum segment size: 1460 bytes

NOP

SACK permitted

Internet Protocol, Src Addr: 57.206.114.200 (57.206.114.200), Dst Addr: 10.160.196.130 (10.160.196.130)

Version: 4

Header length: 20 bytes

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

0000 00.. = Differentiated Services Codepoint: Default (0x00)

.... ..0. = ECN-Capable Transport (ECT): 0

.... ...0 = ECN-CE: 0

Total Length: 48

Identification: 0x013e

Flags: 0x04

.1.. = Don't fragment: Set

..0. = More fragments: Not set

Fragment offset: 0

Time to live: 126

Protocol: TCP (0x06)

Header checksum: 0x7fd1 (correct)

Source: 57.206.114.200 (57.206.114.200)

Destination: 10.160.196.130 (10.160.196.130)

Transmission Control Protocol, Src Port: 5010 (5010), Dst Port: 1067 (1067), Seq: 0, Ack: 148829502, Len: 0

Source port: 5010 (5010)

Destination port: 1067 (1067)

Sequence number: 0

Acknowledgement number: 148829502

Header length: 28 bytes

Flags: 0x0014 (RST, ACK)

0... .... = Congestion Window Reduced (CWR): Not set

.0.. .... = ECN-Echo: Not set

..0. .... = Urgent: Not set

...1 .... = Acknowledgment: Set

.... 0... = Push: Not set

.... .1.. = Reset: Set

.... ..0. = Syn: Not set

.... ...0 = Fin: Not set

Window size: 64512

Checksum: 0xf579 (correct)

Options: (8 bytes)

Maximum segment size: 1460 bytes

NOP

SACK permitted

beth-martin · ‎02-05-2003

I remember having come across a similar problem some time ago. Just as is the case here, the remote end was sending a RST to a SYN. The root in that case turned out to be the presence of CBAC. It seems that CBAC and a client initiated HTTP session don't go together. If you have CBAC configured, try removing the same and see if the setup works normally.