Thursday, September 16, 2021

Cisco ASA TCP Reset-O

Hello all,

I've been troubleshooting an issue for weeks now. Im still fairly new to Cisco ASA and trying to learn.

Hopefully people will take their time and read this.

So we have a server (10.233.10.10) thats needs access another server (10.254.254.58) on port 443.

Here is the topology: Imgur: The magic of the Internet

So when I try to do a TCP connection test from server: 10.233.10.10 > 10.254.254.58 on port 443, I get this log message in the ASA-A:

Sep 16 2021 08:58:18: %ASA-6-302013: Built outbound TCP connection 824057093 for TRANSIT-E:10.254.254.58/443 (10.254.254.58/443) to INT-PROD:10.233.10.10/52275 (10.233.10.10/52275)

Sep 16 2021 08:58:18: %ASA-6-302014: Teardown TCP connection 824057093 for TRANSIT-E:10.254.254.58/443 to INT-PROD:10.233.10.10/52275 duration 0:00:00 bytes 0 TCP Reset-O from TRANSIT-E

The server-A: 10.233.10.10 is directly connected behind ASA-A and the server-B: 10.254.254.58 is directly connected behind ASA-B. In the ASA-B, Im not able to see traffic there because all HTTPS traffic goes via proxy. The windows guys said that they could not see 10. addresses bypass the proxy. We have routing from the server-A all the way to server-B. I can ping from server-A, ASA-A, Switch_A, Switch_B and ASA-B to server-B so routing is no problem with.

In the ASA-A and ASA-B, it is open for HTTPS, I confirmed that the source IP and destination IP is correctly defined in both firewalls and that the ACL is applied to correct interfaces. We do not do any ACL for HTTPS in the switches that could block HTTPS. From server-B and ASA-B and the switches, I cant ping 10.233.10.10 and that is because ping is not allowed (for security reasons).

So my question is:

  1. What does the TCP Reset-O mean in the ASA-A log: "built outbound TCP con for TRANSIT-E: 10.254.254.58/443 to INT-PROD: 10.233.10.10". From what I understand it and the research I did, it means that the server on the outside reset the TCP connection. Another link says that TCP reset-O mean "A TCP reset enter a low security interface and exit a high security interface"
  2. This is probably a very stupid question, but since server-A is the one that makes an outbound TCP connection, shouldn't the log say instead "built outbound TCP for 10.233.10.10 > 10.254.254.58:443" and not vice versa? I know all that about TCP threeway handshake but I dont understand this log message.

I did a packet-tracer and here is the output (PS: You probably will ask me if I can do a TCP to 10.254.254.59 but that server is down...)

Phase: 1

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 10.233.63.67 using egress ifc TRANSIT-E

Phase: 2

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 10.233.10.10 using egress ifc INT-PROD

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group ACL-INT-PROD in interface INT-PROD

access-list ACL-INT-PROD remark --- Traffic from PROD to GRP-NETAPP-CONTROLLER

access-list ACL-INT-PROD remark - TCP/443, HTTPS

access-list ACL-INT-PROD extended permit tcp object PROD object-group GRP-NETAPP-CONTROLLER eq https

object-group network GRP-NETAPP-CONTROLLER

network-object host 10.255.254.58

network-object host 10.255.254.59

network-object host 10.254.254.58

network-object host 10.254.254.59

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7f90a9cada30, priority=13, domain=permit, deny=false

hits=344, user_data=0x7f9096d4c6c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip/id=10.233.10.10, mask=255.255.255.255, port=0, tag=any

dst ip/id=10.254.254.58, mask=255.255.255.255, port=443, tag=any, dscp=0x0

input_ifc=INT-PROD, output_ifc=any

Phase: 4

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7f90a17ec1a0, priority=0, domain=nat-per-session, deny=false

hits=1260680592, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7f90a415bbb0, priority=0, domain=inspect-ip-options, deny=true

hits=2216536, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=INT-PROD, output_ifc=any

Phase: 6

Type: SFR

Subtype:

Result: ALLOW

Config:

class-map FIREPOWER

match access-list ACL-FIREPOWER-V2

policy-map global_policy

class FIREPOWER

sfr fail-open

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7f90aebb3010, priority=71, domain=sfr, deny=false

hits=1528351, user_data=0x7f90ae264f60, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=INT-PROD, output_ifc=any

Phase: 7

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7f90a9043430, priority=20, domain=lu, deny=false

hits=620700, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=INT-PROD, output_ifc=any

Phase: 8

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0x7f90a17ec1a0, priority=0, domain=nat-per-session, deny=false

hits=1260680594, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0x7f90a4d2ac20, priority=0, domain=inspect-ip-options, deny=true

hits=9315805, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=TRANSIT-E, output_ifc=any

Phase: 10

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 824613129, packet dispatched to next module

Module information for forward flow ...

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_sfr

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Module information for reverse flow ...

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_sfr

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Result:

input-interface: INT-PROD

input-status: up

input-line-status: up

output-interface: TRANSIT-E

output-status: up

output-line-status: up

Action: allow

I appreciate your help!



No comments:

Post a Comment