Hi Guys,
I've run into an issue that's stumping me and my team. Thought I might throw it out here in case someone had seen something similar.
We have two public IPs on an ASA where the HTTPS services behind those IPs are not reachable. Other IPs in the same subnet on the ASA are working fine. I've got a packet capture on the client machine and on the ASA. The initial TCP handshake is failing with "TCP ACKed unseen segment". The packets in the captures are lining up, so it doesn't look like anything is missed by the capture, but there is something weird in the TCP sequence numbers.
When the initial SYN packet leaves the client, it has TCP seq (raw) 3740762526 but in the capture on the ASA, it has seq 1413747879. The packet goes on to the server and the ASA captures a SYN, ACK reply matching seq 141... Then the client sees the reply with the same SEQ and ACK number that left the ASA, but these no longer match the original SYN packet on the client and thus the handshake fails.
Client ----- ASA
SEQ, ACK ----- SEQ, ACK
3740762526, 0 -----> 1413747879, 0
820296656, 1413747880 <----- 820296656, 1413747880
What am I missing here? What would cause the seq number to change between the time it leaves the client but before it hits the edge firewall on the other side?
Thanks!
No comments:
Post a Comment