Solved

Cisco ASA Syn timeout

Posted on 2010-08-16
4
9,248 Views
Last Modified: 2012-05-10
Hi,

   I've been wondering.

I keep getting syn timeout from the ASA logs when I try to reach a dmz network from the outside.

I have to ASA... It's actually a site-to-site VPN that's reaching the first ASA - on this one, I get, when i do the packet tracer " ipsec spoof packet" in the end at the Result.

I see in the log the TCP connection that being sent to the second ASA through an interconnection. Afterwards I see the TCP handshake like. syn sent to a Dmz interface and that is it and after 30 seocnds I only get Syn timeout.

I don't know what I can do with this problem.

I asked my system engineer to give me a tcp dump on both his server interfaces because I was suspecting the server reply would live though a different interface.

Unfortunately, all I could see from the dump through wireshark is .. syn sent to the server.. and nothing else.

I am not natting my requests. They come from the opposite site as is. The encryption domains are good - so are the SA.

no idea, no idea.

i mean, I should be able to see a deny or a drop or get some words from the ASA! Or else i asked my system engineer to drop all his iptables.

nothing else.

pain in the ass! :D
0
Comment
Question by:cheops01
  • 2
4 Comments
 
LVL 7

Accepted Solution

by:
joelvp earned 500 total points
ID: 33449902
Syn timeout means that your source tries to establish a tcp session, sends a TCP SYN packet as the first packet, but no reply is received by the ASA. Generally this is because the end node is either blocking the packet or does not know how to route it. I always use packet capture to make sure which packets are exactly passing the ASA interface.
setup capture as follows:

lets assume the target server has ip address 1.2.3.4 and it is located on interface inside, then capture setup would be as follows:

conf t
access-list capsyn permit ip any host 1.2.3.4
access-list capsyn permit ip host 1.2.3.4 any

cap syncap interface inside access-list capsyn

then after some time, check the contents of the captur as follows

show cap syncap
0
 
LVL 20

Expert Comment

by:MightySW
ID: 33451240
Hi, yes check your capture log, and post your access-lists by doing a: sh run access-l

Be sure they are sanitized.  More than likely you just don't have an ACL to allow traffic in the DMZ interface from the outside interface.

There would be no reason for a route, but since your outside interface would most likely be of a lower security level than that of the DMZ interface (which it probably should be) then you would need to create an ACL and then bind it to the DMZ interface inbound like so:

access-list outside_in_DMZ permit ip host any host DMZ_SERVER_IP_HOSTname eq 80

then the access-group to bind it to the DMZ interface:
access-group outside_in_DMZ in interface DMZ

I used port 80 as an example, but it could be anything like telnet, ssh, ftp, etc.

HTH
0
 
LVL 20

Expert Comment

by:MightySW
ID: 33554074
Hi there, everything ok on this?  Just checking your status.

Thanks
0
 

Author Closing Comment

by:cheops01
ID: 33624790
The problem was indeed on the server side.

The system engineer found the problem.

Thank you very much
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now