Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Reset-O from everyone

From: "Chris Proctor" <Chris.Proctor () sungardhe com>
Date: Wed, 7 May 2008 21:43:45 -0400
Bill,

This triggered a couple of thoughts in my head.  
1.) Are you really seeing TCP resets or is this a timeout/state related
issue?
2.) If you are really seeing TCP resets, I would be looking for an
IDS/IPS (inclusive of potentially the ASA itself.)
3.) If it is timeout related, I would be looking to see if the TCP
timeout is misset or some other item is causing the ASA to consider the
connection dead and removing it.

It seems key to me to discover if you truly are having TCP resets or if
there's another culprit at work.

My first step would be to use the capture command on the ASA to capture
some of the packets going to/from a host on your network (looking
specifically for the connection resets.)  You can compare this
information from a show conn | inc <hostip> executed at the time of the
transfer.

There are a couple of other questions I'd need to ask to clarify your
situation if these don't point you to the answer:
1.) Are you running NAT?
2.) What version of code are you on?
3.) Do you have inspect turned on for each of the protocols which are
having an issue?  
4.) Are you seeing packet fragmentation, out of order packets or missing
sequence numbers?
5.) Is the TCP window size changing in the flows having the issue?
6.) Does an internal transfer across the ASA have the same issues?  (For
instance inside to a DMZ)  (I believe you answered that but just so I'm
clear on what "inside our network" means.)

Chris Proctor
Sungard Higher Education
---------------

Date: Tue, 6 May 2008 14:52:31 -0500
From: "Bill O'Connell" <boconnell () libertycreativesolutions com>
Subject: [fw-wiz] Reset-O from everyone!
 
I have been having a problem with my new cisco ASA 5505. In ftp, http
and SMTP traffic I keep getting Reset-O. Then (especially with the HTTP
file transfers we do) I get 1 or sometimes many Deny TCP (no
connection).

I have a real hard time believing that all of these outside hosts are
doing Resets - and then still trying to communicate.

Cisco is looking at a pcap now, and it does show retransmissions from
our web server to the host.

Has anyone seen this kind of behavior before? Does anyone have any
suggestions? Could it be that there is a faulty router at our ISP?

Everything works flawlessly inside of our network.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: