Cisco ASA Syn timeout

Posted on 2010-08-16
Last Modified: 2012-05-10

   I've been wondering.

I keep getting syn timeout from the ASA logs when I try to reach a dmz network from the outside.

I have to ASA... It's actually a site-to-site VPN that's reaching the first ASA - on this one, I get, when i do the packet tracer " ipsec spoof packet" in the end at the Result.

I see in the log the TCP connection that being sent to the second ASA through an interconnection. Afterwards I see the TCP handshake like. syn sent to a Dmz interface and that is it and after 30 seocnds I only get Syn timeout.

I don't know what I can do with this problem.

I asked my system engineer to give me a tcp dump on both his server interfaces because I was suspecting the server reply would live though a different interface.

Unfortunately, all I could see from the dump through wireshark is .. syn sent to the server.. and nothing else.

I am not natting my requests. They come from the opposite site as is. The encryption domains are good - so are the SA.

no idea, no idea.

i mean, I should be able to see a deny or a drop or get some words from the ASA! Or else i asked my system engineer to drop all his iptables.

nothing else.

pain in the ass! :D
Question by:cheops01
  • 2

Accepted Solution

joelvp earned 500 total points
ID: 33449902
Syn timeout means that your source tries to establish a tcp session, sends a TCP SYN packet as the first packet, but no reply is received by the ASA. Generally this is because the end node is either blocking the packet or does not know how to route it. I always use packet capture to make sure which packets are exactly passing the ASA interface.
setup capture as follows:

lets assume the target server has ip address and it is located on interface inside, then capture setup would be as follows:

conf t
access-list capsyn permit ip any host
access-list capsyn permit ip host any

cap syncap interface inside access-list capsyn

then after some time, check the contents of the captur as follows

show cap syncap
LVL 20

Expert Comment

ID: 33451240
Hi, yes check your capture log, and post your access-lists by doing a: sh run access-l

Be sure they are sanitized.  More than likely you just don't have an ACL to allow traffic in the DMZ interface from the outside interface.

There would be no reason for a route, but since your outside interface would most likely be of a lower security level than that of the DMZ interface (which it probably should be) then you would need to create an ACL and then bind it to the DMZ interface inbound like so:

access-list outside_in_DMZ permit ip host any host DMZ_SERVER_IP_HOSTname eq 80

then the access-group to bind it to the DMZ interface:
access-group outside_in_DMZ in interface DMZ

I used port 80 as an example, but it could be anything like telnet, ssh, ftp, etc.

LVL 20

Expert Comment

ID: 33554074
Hi there, everything ok on this?  Just checking your status.


Author Closing Comment

ID: 33624790
The problem was indeed on the server side.

The system engineer found the problem.

Thank you very much

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question