[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1608
  • Last Modified:

TCP Reset-0 Message in the Firewall from external router

Remore access to a 2811 router from a local LAN via ssh across a firewall was working fine.

Suddenly, the ssh connection was not getting thru and we were getting following error from putty:

Fatal Putty Error: network error, software caused connection abort.

After seeing through the firewall logs, i found below messages:

%FWSM-6-305011: Built dynamic tcp translation from Internal:172.19.107.54/3929 to External:203.36.134.241/29797
%FWSM-6-302013: Built outbound TCP connection 219025379 for Internal:172.20.100.54/3929 (204.35.134.241/29797) to External:204.35.134.243/22 (204.35.134.243/22)
%FWSM-6-302014: Teardown TCP connection 219025379 for Internal:172.20.108.54/392 9 to External:204.35.134.243/22 duration 0:00:00 bytes 244 TCP Reset-O

How come  the router is sending a reply with reset bit set. ? What does it mean ? Does it at all reflect remotely to any kind of DoS attack ?

In any case, what is the way out. ?

Thanks
0
vbongarala
Asked:
vbongarala
  • 6
  • 6
  • 3
1 Solution
 
Voltz-dkCommented:
It does not appear to be any sort of DoS attack.  My guess is some disagreement on encryption or the likes, after which the router decided not to "speak" to you anymore.  You should check syslogs/debugging on the router and see if you can figure out exactly what it is.
0
 
vbongaralaAuthor Commented:

 What could be the reason ? What normally causes this kind of reset ?

Are you referring to check firewall logs or router logs ?

Thank you
0
 
Voltz-dkCommented:
It could be something as simple as the router not having a pair of crypto keys.  Maybe these got generated, and things worked well but they weren't saved.
Router got restarted for whatever reason, and now it can't use ssh due to lack of keys.

That's just a guess of cuz..

I refer to router logs.  It is the router that's getting "upset" :)
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
vbongaralaAuthor Commented:

Just to confirm: are you certain router would generate logs that could helps us peep what's casuing the reset from router's end.

Offcourse, the router is setup for syslogs.

Thanks
0
 
Voltz-dkCommented:
It may not be generating logs, it depends on the actual cause.  I would suggest logging into the router and check the config and crypto key first.

0
 
vbongaralaAuthor Commented:

I will check the router logs and see what it says. Will let you know the soon.

Thank you :)
0
 
Voltz-dkCommented:
Check also running config, and crypto key.  For running config it's the parts of "line vty", they should have something like "transport input ssh".

For the key it's:
sh crypto key rsa mypub
(or something like that .. use the ? to guide you through the exact order of the arguments).

You may also check out:
sh ip ssh
0
 
vbongaralaAuthor Commented:

Strangely, today when i tried to do ssh to the remote router again, i get following new message:

%FWSM-6-302014: Teardown TCP connection 219025379 for Internal:172.20.108.64/392 9 to External:214.35.134.223/22 duration 0:00:00 bytes 244 SYN Timeout

I know that this message means: Force termination after two minutes awaiting three-way handshake completion.
But what could be causing this timeout ?  What re the common reasons ? Can this be some issue on the router side ?
Plz clarify .

Thanks:)



0
 
harbor235Commented:


The reset was perfromed from the outside, thats what Reset-O means. The server you are ssh'ng to reset the session, could be several things, ssh not configured, host system resource saturation (busy) etc ...


harbor235 ;}
0
 
Voltz-dkCommented:
The SYN timeout can happen for many reasons too.  With your setup one of the following 2 would seems most likely.
It could be the router has an access-list and silently drops the packet.  It could be it doesn't have proper return routing.
0
 
vbongaralaAuthor Commented:
Router does not carry any access-list for inside traffic trying to access the router. And router is sitting in front of the firewall.The local network from where i 'm trying to ssh to the router is NATed in the firewall for internet access. You can see the diagram below for better view:


Local network (172.16.10.0/24)-----------RTR---------L3Switch------FW-------Edge RTR------Internet

Edge RTR IP facing the firewall is - 205.31.21.1, this is the IP to which i'm doing SSH from 172.16.10.0 network.
I hava following two questions to clarify:

a. When local network is NATd in FW, and then if i try to ssh the edge RTR ip, does the traffic get
    NATed by the firewall, even though the traffic is not for Internet but the very next hop RTR. ?

b. Does console logging and simultaneously trying ssh to the router will generate any meaningful logs in the router..which will help to troubleshoot ?

Plz answer. Thanks:)
0
 
harbor235Commented:


Again, the logs you provided identify a flow that was terminated by a tcp reset that was sent from the outside, hence the Reset-O, O=outisde, was generated by
204.35.134.243.

harbor235 ;}
0
 
Voltz-dkCommented:
a) Yes, in most cases.  It depends on the actual setup, but it's common to have NAT in effect for everything passing the outside interface.  And according to your first logs, you can see the NAT:

%FWSM-6-302013: Built outbound TCP connection 219025379 for Internal:172.20.100.54/3929 (204.35.134.241/29797) to External:204.35.134.243/22 (204.35.134.243/22)

b) That hard to say, depends on the actual problem.  But I don't feel you have answered too many of the questions I've made about your setup.
---
I wonder if the SYN timeout you had was just cuz of a typo, seeing how that was aimed at .223:
214.35.134.223/22
While the initial post was about .243..

If it was indeed a typo, then I guess we are back to the reset and not a SYN timeout.  If it's not a typo, then why do we suddenly have this new device popping into the equation?

As for the reasons for your reset, please try to provide the answers to questions I posted earlier/results of commands I asked you to do.  It's too difficult to help otherwise.
0
 
harbor235Commented:


aah, did not see the syn timeout in the later post,

harbor235 ;}
0
 
vbongaralaAuthor Commented:
Sorry, it is indeed 243 and not 223. It is a typo. For SSH connection, first i got Reset msg as i posted..then again now..i'm getting SYN Timeout msg. This is correct and the device is same.

I will answer to your earlier questions and provide the feedback.

Thanks:)
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 6
  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now