Thursday, July 8, 2021

ASA Teardown TCP connection SYN timeout

Hello all,

I posted yesterday about a similar topic and all the respones were awesome, very helpful so thank you for that!

Anyway, Im very curious and want to learn more about Cisco ASAs and the logs so I have a question.

A customer wants access to a public IP on port 22 so that they can share files. They claim that they cant reach the IP (let say 200.200.200.200). I asked them to confirm the source IP (10.230.150.36). Here is an output from the logs:

The ACL I configured:

access-list TRANSIT extended permit ip 10.230.150.36 255.255.240.0 host 200.200.200.200. I also see two hitcounts. The 10.230.150.36 is routed via the TRANSIT interface. The ACL is configured on IP and not on specific port. I know I should define a port (22 in this case) instead of just permitting on IP.

2021-07-08T09:10:02+02:00 10.230.130.25 %ASA-6-302013: Built outbound TCP connection 21416433 for OUTSIDE:200.200.200.200 (200.200.200.200) to CDN-TRANSIT:10.230.150.36/51536 (200.200.200.200/51536)

2021-07-08T09:10:21+02:00 10.230.130.25 %ASA-6-302013: Built outbound TCP connection 21419811 for OUTSIDE:200.200.200.200 (200.200.200.200) to CDN-TRANSIT:10.230.150.36/64416 (200.200.200.200/64416)

2021-07-08T09:10:32+02:00 10.230.130.25 %ASA-6-302014: Teardown TCP connection 21416433 for OUTSIDE:200.200.200.200 to CDN-TRANSIT:10.230.150.36/51536 duration 0:00:30 bytes 0 SYN Timeout

2021-07-08T09:10:51+02:00 10.230.130.25 %ASA-6-302014: Teardown TCP connection 21419811 for OUTSIDE:200.200.200.200 to CDN-TRANSIT:10.230.150.36/64416 duration 0:00:30 bytes 0 SYN Timeout

Here as you can see, we have "Build outbound TCP connection" which is good, that is what I want to see. But then you can se "Teardown TCP connection" bytes 0 SYN Timeout". What does that actually mean? I looked that up and apparently it means that the connection timed out because of the remote end server did not give a reply to the attempt of the user to form the TCP connection. So what I understand from this, it should be something on their end that blocking the user from attempting to access the 200.200.200.200, a firewall or an actual problem with the server maybe?

Thanks for all the help.



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)