Solved

ASA 5510 can't access one web site, all others fine

Posted on 2014-04-24
17
1,577 Views
Last Modified: 2014-04-25
By no means an ASA expert, someone else configured it for us.  Anyways, here is my problem.  I can access every site on the Internet except one.

I can access the site in question using another ISP, but not from my main LAN feed.  I called our ISP and they indicated everything was fine with them.  As a test I connected a laptop outside our firewall, directly to our Internet router.  When I did that I can magically access the site!  This means our ISP is correct and the issue isn't on their end, it seems to be something in our ASA config that is causing the problem.

I have tried logging our ASA while trying to access from my desktop and I am seeing the following error:

....duration 0:00:30 bytes 0 SYN Timeout

a few seconds later I see:

....flags RST  on interface outside

The timeout message is usually displayed after approximately 30 seconds. The RST error message about 15 seconds after that.

I can't find anything in our configuration specifying something different for this IP address, so I don't know why the ASA is dropping packets to it.  As I said, if I move my machine to the network which the outside interface is using, I can connect up no problem.

Any suggestions on this?  It's really puzzling this occurs with this one web site only.

Feedback appreciated.
0
Comment
Question by:DrakeCA
  • 7
  • 7
  • 2
  • +1
17 Comments
 
LVL 10

Expert Comment

by:Rafael
ID: 40020560
Is that IP listed in any polices that are preventing or blocking it?
From the CLI execute "sh access-group" and see if the IP is tied to any acls.

Also, here is a ASA Link to Cisco on allowing or blocking an IP as well as the whole book if needed.  

This is minor and should get you taken care of.

-Rafael
0
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 40020604
Can you tell us what the website/IP address is that you are trying to get to as well as post your running configuration of the ASA. If so be sure to sanitize the configuration so we do not see any external IP addresses and password
0
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 40020605
show me the result of the following command + #sh run for asa :

CiscoASA# packet-tracer input inside tcp [ONE OF YOUR INSIDE IPs] 54444 [DESTINATION WEB SERVER IP ADDRESS] http detailed
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:DrakeCA
ID: 40020613
The IP address doesn't show up in any ACL.  I checked this before, but just verified again.
0
 

Author Comment

by:DrakeCA
ID: 40020634
Here are the results of the packet-tracer command:

Result of the command: "packet-tracer input inside tcp 10.79.5.71 54444 203.143.82.157 http detailed"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd56709a0, priority=1, domain=permit, deny=false
      hits=1896210657, user_data=0x0, cs_id=0x0, l3_type=0x8
      src mac=0000.0000.0000, mask=0000.0000.0000
      dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip 10.79.5.0 255.255.255.0 any
access-list inside_access_in remark Alllow connections for PPTP
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd581ac88, priority=12, domain=permit, deny=false
      hits=19473753, user_data=0xd581ac48, cs_id=0x0, flags=0x0, protocol=0
      src ip=10.79.5.0, mask=255.255.255.0, port=0
      dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd5673470, priority=0, domain=permit-ip-option, deny=true
      hits=86779213, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
      src ip=0.0.0.0, mask=0.0.0.0, port=0
      dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 1 (38.112.X.X)
    translate_hits = 31246392, untranslate_hits = 1534368
Additional Information:
Dynamic translate Craig_Temp/54444 to 38.112.X.X/63078 using netmask 255.255.255.255
 Forward Flow based lookup yields rule:
 in  id=0xd57ba930, priority=1, domain=nat, deny=false
      hits=31256400, user_data=0xd5796060, cs_id=0x0, flags=0x0, protocol=0
      src ip=0.0.0.0, mask=0.0.0.0, port=0
      dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 1 (38.112.X.X)
    translate_hits = 31246392, untranslate_hits = 1534368
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd5682b90, priority=1, domain=host, deny=false
      hits=53690755, user_data=0xd5796060, cs_id=0x0, reverse, flags=0x0, protocol=0
      src ip=0.0.0.0, mask=0.0.0.0, port=0
      dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xd55c6f50, priority=0, domain=permit-ip-option, deny=true
      hits=60615266, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
      src ip=0.0.0.0, mask=0.0.0.0, port=0
      dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 92440388, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 38.112.X.Y using egress ifc outside
adjacency Active
next-hop mac address 0030.190e.ff30 hits 29005

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
0
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 40020748
it looks good to me,
OK let us capture traffic between 10.79.5.71 and your web server:

#access-list testcap extended permit ip host 10.79.5.71 host 203.143.82.157
#capture testcap interface inside

- open your browser from 10.79.5.71  to the web server, then after it timed out

#no capture testcap

then give me the result in any way:

1)https://ASA_INTERNAL_IP/admin/capture/testcap

OR

2) # show capture testcap

I wil need to see your #sh run too!
0
 

Author Comment

by:DrakeCA
ID: 40020898
I tried running the commands above and it accepted everything, except the last one.  I get a response:

ERROR: Capture <testcap> does not exist
0
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 40020906
# sh run
0
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 40020910
0
 

Author Comment

by:DrakeCA
ID: 40020935
OK.

This is what I get using the wizard on the inside interface:

9 packets captured
   1: 13:53:55.077220 10.79.5.71.51567 > 203.143.82.157.80: S 3687529814:3687529814(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
   2: 13:53:55.077480 10.79.5.71.51568 > 203.143.82.157.80: S 1847966989:1847966989(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
   3: 13:53:58.075435 10.79.5.71.51568 > 203.143.82.157.80: S 1847966989:1847966989(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
   4: 13:53:58.078395 10.79.5.71.51567 > 203.143.82.157.80: S 3687529814:3687529814(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
   5: 13:54:04.081782 10.79.5.71.51567 > 203.143.82.157.80: S 3687529814:3687529814(0) win 8192 <mss 1460,nop,nop,sackOK>
   6: 13:54:04.081813 10.79.5.71.51568 > 203.143.82.157.80: S 1847966989:1847966989(0) win 8192 <mss 1460,nop,nop,sackOK>
   7: 13:54:16.081752 10.79.5.71.51593 > 203.143.82.157.80: S 4203007611:4203007611(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
   8: 13:54:19.080821 10.79.5.71.51593 > 203.143.82.157.80: S 4203007611:4203007611(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
   9: 13:54:25.077205 10.79.5.71.51593 > 203.143.82.157.80: S 4203007611:4203007611(0) win 8192 <mss 1460,nop,nop,sackOK>
9 packets shown
0
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 40020977
#show asp drop
0
 

Author Comment

by:DrakeCA
ID: 40021022
Result of the command: "sh asp drop"

Frame drop:
  Invalid encapsulation (invalid-encap)                                      525
  Invalid TCP Length (invalid-tcp-hdr-length)                                214
  Invalid UDP Length (invalid-udp-length)                                      8
  Flow is denied by configured rule (acl-drop)                          21494160
  Invalid SPI (np-sp-invalid-spi)                                              1
  First TCP packet not SYN (tcp-not-syn)                                 2922037
  Bad TCP flags (bad-tcp-flags)                                               85
  TCP data send after FIN (tcp-data-past-fin)                                 40
  TCP failed 3 way handshake (tcp-3whs-failed)                             67095
  TCP RST/FIN out of order (tcp-rstfin-ooo)                              1907454
  TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                         25701
  TCP SYNACK on established conn (tcp-synack-ooo)                            103
  TCP packet SEQ past window (tcp-seq-past-win)                            30140
  TCP invalid ACK (tcp-invalid-ack)                                         3557
  TCP ACK in 3 way handshake invalid (tcp-discarded-ooo)                      42
  TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout)                  2
  TCP RST/SYN in window (tcp-rst-syn-in-win)                              120829
  TCP packet failed PAWS test (tcp-paws-fail)                             200036
  CTM returned error (ctm-error)                                               1
  IPSEC tunnel is down (ipsec-tun-down)                                       25
  Slowpath security checks failed (sp-security-failed)                     46918
  Expired flow (flow-expired)                                                  3
  ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched)          6
  ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn)                                   108
  DNS Inspect invalid packet (inspect-dns-invalid-pak)                       709
  DNS Inspect invalid domain label (inspect-dns-invalid-domain-label)         16
  DNS Inspect packet too long (inspect-dns-pak-too-long)                      33
  DNS Inspect id not matched (inspect-dns-id-not-matched)                   2795
  FP L2 rule drop (l2_acl)                                              40112675
  Interface is down (interface-down)                                           5
  Dropped pending packets in a closed socket (np-socket-closed)            17606

Last clearing: Never

Flow drop:
  NAT failed (nat-failed)                                                    162
  NAT reverse path failed (nat-rpf-failed)                                    28
  Need to start IKE negotiation (need-ike)                                   748
  Inspection failure (inspect-fail)                                       190300
  SSL bad record detected (ssl-bad-record-detect)                             71
  SSL handshake failed (ssl-handshake-failed)                                 54
  SSL malloc error (ssl-malloc-error)                                          9
  SSL received close alert (ssl-received-close-alert)                          2

Last clearing: Never
0
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 40021060
well it's become more confusing now!, i have some doubts about mss and I really not sure if it's going to fix this case or not but let's try:

ASA(config)#access-list http-list2 permit tcp any any
ASA(config)#
ASA#configure terminal
ASA(config)#
ASA(config)#class-map http-map1
ASA(config-cmap)#match any    
ASA(config-cmap)#exit
ASA(config)#tcp-map mss-map
ASA(config-tcp-map)#exceed-mss allow
ASA(config-tcp-map)#exit
ASA(config)#policy-map http-map1
ASA(config-pmap)#class http-map1
ASA(config-pmap-c)#set connection advanced-options mss-map
ASA(config-pmap-c)#exit
ASA(config-pmap)#exit
ASA(config)#service-policy http-map1 global
0
 

Author Comment

by:DrakeCA
ID: 40021246
I am hesitant to add more complexity to our system.  Currently I can't ping the IP of the web server from inside our network, but I can ping it from the other side of the ASA.  From what I read I believe MSS only relates to HTTP traffic.

Thoughts??

P.S.  I truly appreciate your efforts so far, I've learned some new ways to get info out of the ASA which will come in helpful down the road.
0
 
LVL 6

Accepted Solution

by:
Hassan Besher earned 500 total points
ID: 40021301
just save your current stable config and apply the above commands if it's still no difference then reboot your ASA to convert to your old stable config, just my 2 cents!
0
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 40021556
What is the website that you are trying to visit, the complete URL will be most helpful? Is it using port 80 or another port? Are you able to provide us with a sanitized running configuration of your ASA?

By default the ASA will block pings (icmp) so you would need to adjust your ACL's in order to get this to work, but more importantly we need to focus on what the issue is with the website and your internal network. Do you have any IPS Sensor on your ASA 5510?
0
 

Author Comment

by:DrakeCA
ID: 40022423
Hi guys, time for an update.

Even though I asked the remote site multiple times, and they insisted everyting was fine on their end, they finally had a senior engineer look at their firewall.  Apparently someone had added our firewall's IP address to a blacklist and it was blocking our access.  As soon as he took it out I could magically access the site.

Sorry for wasting everyone's time yesterday, I do appreciate all efforts on this!
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question