Hello all,
I've been troubleshooting an issue for weeks now. Im still fairly new to Cisco ASA and trying to learn.
Hopefully people will take their time and read this.
So we have a server (10.233.10.10) thats needs access another server (10.254.254.58) on port 443.
Here is the topology: Imgur: The magic of the Internet
So when I try to do a TCP connection test from server: 10.233.10.10 > 10.254.254.58 on port 443, I get this log message in the ASA-A:
Sep 16 2021 08:58:18: %ASA-6-302013: Built outbound TCP connection 824057093 for TRANSIT-E:10.254.254.58/443 (10.254.254.58/443) to INT-PROD:10.233.10.10/52275 (10.233.10.10/52275)
Sep 16 2021 08:58:18: %ASA-6-302014: Teardown TCP connection 824057093 for TRANSIT-E:10.254.254.58/443 to INT-PROD:10.233.10.10/52275 duration 0:00:00 bytes 0 TCP Reset-O from TRANSIT-E
The server-A: 10.233.10.10 is directly connected behind ASA-A and the server-B: 10.254.254.58 is directly connected behind ASA-B. In the ASA-B, Im not able to see traffic there because all HTTPS traffic goes via proxy. The windows guys said that they could not see 10. addresses bypass the proxy. We have routing from the server-A all the way to server-B. I can ping from server-A, ASA-A, Switch_A, Switch_B and ASA-B to server-B so routing is no problem with.
In the ASA-A and ASA-B, it is open for HTTPS, I confirmed that the source IP and destination IP is correctly defined in both firewalls and that the ACL is applied to correct interfaces. We do not do any ACL for HTTPS in the switches that could block HTTPS. From server-B and ASA-B and the switches, I cant ping 10.233.10.10 and that is because ping is not allowed (for security reasons).
So my question is:
- What does the TCP Reset-O mean in the ASA-A log: "built outbound TCP con for TRANSIT-E: 10.254.254.58/443 to INT-PROD: 10.233.10.10". From what I understand it and the research I did, it means that the server on the outside reset the TCP connection. Another link says that TCP reset-O mean "A TCP reset enter a low security interface and exit a high security interface"
- This is probably a very stupid question, but since server-A is the one that makes an outbound TCP connection, shouldn't the log say instead "built outbound TCP for 10.233.10.10 > 10.254.254.58:443" and not vice versa? I know all that about TCP threeway handshake but I dont understand this log message.
I did a packet-tracer and here is the output (PS: You probably will ask me if I can do a TCP to 10.254.254.59 but that server is down...)
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.233.63.67 using egress ifc TRANSIT-E
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.233.10.10 using egress ifc INT-PROD
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ACL-INT-PROD in interface INT-PROD
access-list ACL-INT-PROD remark --- Traffic from PROD to GRP-NETAPP-CONTROLLER
access-list ACL-INT-PROD remark - TCP/443, HTTPS
access-list ACL-INT-PROD extended permit tcp object PROD object-group GRP-NETAPP-CONTROLLER eq https
object-group network GRP-NETAPP-CONTROLLER
network-object host 10.255.254.58
network-object host 10.255.254.59
network-object host 10.254.254.58
network-object host 10.254.254.59
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f90a9cada30, priority=13, domain=permit, deny=false
hits=344, user_data=0x7f9096d4c6c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=10.233.10.10, mask=255.255.255.255, port=0, tag=any
dst ip/id=10.254.254.58, mask=255.255.255.255, port=443, tag=any, dscp=0x0
input_ifc=INT-PROD, output_ifc=any
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f90a17ec1a0, priority=0, domain=nat-per-session, deny=false
hits=1260680592, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f90a415bbb0, priority=0, domain=inspect-ip-options, deny=true
hits=2216536, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=INT-PROD, output_ifc=any
Phase: 6
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map FIREPOWER
match access-list ACL-FIREPOWER-V2
policy-map global_policy
class FIREPOWER
sfr fail-open
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f90aebb3010, priority=71, domain=sfr, deny=false
hits=1528351, user_data=0x7f90ae264f60, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=INT-PROD, output_ifc=any
Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f90a9043430, priority=20, domain=lu, deny=false
hits=620700, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=INT-PROD, output_ifc=any
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f90a17ec1a0, priority=0, domain=nat-per-session, deny=false
hits=1260680594, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f90a4d2ac20, priority=0, domain=inspect-ip-options, deny=true
hits=9315805, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=TRANSIT-E, output_ifc=any
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 824613129, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_sfr
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_sfr
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Result:
input-interface: INT-PROD
input-status: up
input-line-status: up
output-interface: TRANSIT-E
output-status: up
output-line-status: up
Action: allow
I appreciate your help!
No comments:
Post a Comment