Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Cisco ASA Syn timeout

Posted on 2010-08-16
Medium Priority
Last Modified: 2012-05-10

   I've been wondering.

I keep getting syn timeout from the ASA logs when I try to reach a dmz network from the outside.

I have to ASA... It's actually a site-to-site VPN that's reaching the first ASA - on this one, I get, when i do the packet tracer " ipsec spoof packet" in the end at the Result.

I see in the log the TCP connection that being sent to the second ASA through an interconnection. Afterwards I see the TCP handshake like. syn sent to a Dmz interface and that is it and after 30 seocnds I only get Syn timeout.

I don't know what I can do with this problem.

I asked my system engineer to give me a tcp dump on both his server interfaces because I was suspecting the server reply would live though a different interface.

Unfortunately, all I could see from the dump through wireshark is .. syn sent to the server.. and nothing else.

I am not natting my requests. They come from the opposite site as is. The encryption domains are good - so are the SA.

no idea, no idea.

i mean, I should be able to see a deny or a drop or get some words from the ASA! Or else i asked my system engineer to drop all his iptables.

nothing else.

pain in the ass! :D
Question by:cheops01
  • 2

Accepted Solution

joelvp earned 2000 total points
ID: 33449902
Syn timeout means that your source tries to establish a tcp session, sends a TCP SYN packet as the first packet, but no reply is received by the ASA. Generally this is because the end node is either blocking the packet or does not know how to route it. I always use packet capture to make sure which packets are exactly passing the ASA interface.
setup capture as follows:

lets assume the target server has ip address and it is located on interface inside, then capture setup would be as follows:

conf t
access-list capsyn permit ip any host
access-list capsyn permit ip host any

cap syncap interface inside access-list capsyn

then after some time, check the contents of the captur as follows

show cap syncap
LVL 20

Expert Comment

ID: 33451240
Hi, yes check your capture log, and post your access-lists by doing a: sh run access-l

Be sure they are sanitized.  More than likely you just don't have an ACL to allow traffic in the DMZ interface from the outside interface.

There would be no reason for a route, but since your outside interface would most likely be of a lower security level than that of the DMZ interface (which it probably should be) then you would need to create an ACL and then bind it to the DMZ interface inbound like so:

access-list outside_in_DMZ permit ip host any host DMZ_SERVER_IP_HOSTname eq 80

then the access-group to bind it to the DMZ interface:
access-group outside_in_DMZ in interface DMZ

I used port 80 as an example, but it could be anything like telnet, ssh, ftp, etc.

LVL 20

Expert Comment

ID: 33554074
Hi there, everything ok on this?  Just checking your status.


Author Closing Comment

ID: 33624790
The problem was indeed on the server side.

The system engineer found the problem.

Thank you very much

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question