?
Solved

Cisco ASA Syn timeout

Posted on 2010-08-16
4
Medium Priority
?
11,219 Views
Last Modified: 2012-05-10
Hi,

   I've been wondering.

I keep getting syn timeout from the ASA logs when I try to reach a dmz network from the outside.

I have to ASA... It's actually a site-to-site VPN that's reaching the first ASA - on this one, I get, when i do the packet tracer " ipsec spoof packet" in the end at the Result.

I see in the log the TCP connection that being sent to the second ASA through an interconnection. Afterwards I see the TCP handshake like. syn sent to a Dmz interface and that is it and after 30 seocnds I only get Syn timeout.

I don't know what I can do with this problem.

I asked my system engineer to give me a tcp dump on both his server interfaces because I was suspecting the server reply would live though a different interface.

Unfortunately, all I could see from the dump through wireshark is .. syn sent to the server.. and nothing else.

I am not natting my requests. They come from the opposite site as is. The encryption domains are good - so are the SA.

no idea, no idea.

i mean, I should be able to see a deny or a drop or get some words from the ASA! Or else i asked my system engineer to drop all his iptables.

nothing else.

pain in the ass! :D
0
Comment
Question by:cheops01
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 7

Accepted Solution

by:
joelvp earned 2000 total points
ID: 33449902
Syn timeout means that your source tries to establish a tcp session, sends a TCP SYN packet as the first packet, but no reply is received by the ASA. Generally this is because the end node is either blocking the packet or does not know how to route it. I always use packet capture to make sure which packets are exactly passing the ASA interface.
setup capture as follows:

lets assume the target server has ip address 1.2.3.4 and it is located on interface inside, then capture setup would be as follows:

conf t
access-list capsyn permit ip any host 1.2.3.4
access-list capsyn permit ip host 1.2.3.4 any

cap syncap interface inside access-list capsyn

then after some time, check the contents of the captur as follows

show cap syncap
0
 
LVL 20

Expert Comment

by:MightySW
ID: 33451240
Hi, yes check your capture log, and post your access-lists by doing a: sh run access-l

Be sure they are sanitized.  More than likely you just don't have an ACL to allow traffic in the DMZ interface from the outside interface.

There would be no reason for a route, but since your outside interface would most likely be of a lower security level than that of the DMZ interface (which it probably should be) then you would need to create an ACL and then bind it to the DMZ interface inbound like so:

access-list outside_in_DMZ permit ip host any host DMZ_SERVER_IP_HOSTname eq 80

then the access-group to bind it to the DMZ interface:
access-group outside_in_DMZ in interface DMZ

I used port 80 as an example, but it could be anything like telnet, ssh, ftp, etc.

HTH
0
 
LVL 20

Expert Comment

by:MightySW
ID: 33554074
Hi there, everything ok on this?  Just checking your status.

Thanks
0
 

Author Closing Comment

by:cheops01
ID: 33624790
The problem was indeed on the server side.

The system engineer found the problem.

Thank you very much
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question