Cisco ASA Syn timeout
Posted on 2010-08-16
I've been wondering.
I keep getting syn timeout from the ASA logs when I try to reach a dmz network from the outside.
I have to ASA... It's actually a site-to-site VPN that's reaching the first ASA - on this one, I get, when i do the packet tracer " ipsec spoof packet" in the end at the Result.
I see in the log the TCP connection that being sent to the second ASA through an interconnection. Afterwards I see the TCP handshake like. syn sent to a Dmz interface and that is it and after 30 seocnds I only get Syn timeout.
I don't know what I can do with this problem.
I asked my system engineer to give me a tcp dump on both his server interfaces because I was suspecting the server reply would live though a different interface.
Unfortunately, all I could see from the dump through wireshark is .. syn sent to the server.. and nothing else.
I am not natting my requests. They come from the opposite site as is. The encryption domains are good - so are the SA.
no idea, no idea.
i mean, I should be able to see a deny or a drop or get some words from the ASA! Or else i asked my system engineer to drop all his iptables.
pain in the ass! :D