TCP Handshake fails on Cisco ASA

I am using a Traffic Generator for setting up a TCP connection that should pass a Cisco ASA firewall.

My topology looks like this:

                     +------------------+                      
                     |  CISCO ASA       |                      
+------------+       |                  |                      
|  Client    +-------+Outside           |                      
|  10.1.202.1|       |10.1.202.254      |                      
|            |       |                  |        +------------+
+------------+       |            Inside|        |Server      |
                     |      10.1.102.254+--------+10.1.102.19 |
                     |                  |        |            |
                     +------------------+        +------------+

The connection should be established from one host in the external network (10.1.202.1/24) to a server in the internal network (10.1.102.19/24).

I see in Wireshark that the SYN passes the firewall (10.1.(1/2)02.254), the SYN-ACK does not pass and is dropped (see captures: inside-interface and the outside-interface).

From show asp drop I am informed that frames are dropped due to the following reason:

TCP failed 3 way handshake (tcp-3whs-failed)

I am not using ARP, but use the MAC address of the firewall interface, which is the default gateway.

I create the SYN, SYN-ACK and ACK like the following:

SYN: (Client (outside) to server (inside))

**Ethernet**
Destination MAC: <Mac Address of the Firewall-Interface>
Source MAC: <Mac Address of the Sending Device-Interface>

**IP**
Source IP: 10.1.202.1
Destination IP: 10.1.102.19
Default Gateway: 10.1.202.254

**TCP**
Source Port: 9000
Destination Port: 8000
Sequence number: 0
Acknowledgement number: 0
Synchronize: 1
Acknowledgement: 0

SYN-ACK: (Server (inside) to client (outside)) (this does not pass the firewall)

**Ethernet**
Destination MAC: <Mac Address of the Firewall-Interface>
Source MAC: <Mac Address of the Sending Device-Interface>

**IP**
Source IP: 10.1.102.19
Destination IP: 10.1.202.1
Default Gateway: 10.1.102.254

**TCP**
Source Port: 8000
Destination Port: 9000
Sequence number: 0
Acknowledgement number: 1
Synchronize: 1
Acknowledgement: 1

ACK: (Client (outside) to server (inside))

**Ethernet**
Destination MAC: <Mac Address of the Firewall-Interface>
Source MAC: <Mac Address of the Sending Device-Interface>

**IP**
Source IP: 10.1.202.1
Destination IP: 10.1.102.19
Default Gateway: 10.1.202.254

**TCP**
Source Port: 9000
Destination Port: 8000
Sequence number: 1
Acknowledgement number: 1
Synchronize: 0
Acknowledgement: 1

Furthermore, my topology is like following:

The traffic generator client (outside network) is connected to a switch on which a VLAN is added. The switch is connected to the outside firewall interface.
On the inside network, traffic generator is connected to the switch where VLAN tags are added and the switch is connected to the inside interface of the firewall.

Can anyone tell me why the ASA drops the SYN-ACK?

Thanks in advance!

EDIT:

As suggested by Ron Trunk, I disabled the randomization of sequence numbers by using:

random-sequence-number disable
Added capture of the inside-interface and the outside-interface.
Updated the capture files

Best Answer

Related Topic

Best Answer

Related Solutions

Cisco – ASA 5525-X PAT only for one IP subnet

Tcp – SYN/ACK packet(s?) sent as one or two packets in TCP connection initialisation

Related Topic