1

I've ran wireshark on our app server and noticed a reset packet is commonly being received when sending data to a remote telnet server when the connection has been idle for an hour or so.

I've read that our local firewall (ASA5505) may be sending this reset packet to clean up "old" connections, and that the ASA series is commonly known for this because of it's low default timeouts. Is there any way I can prove whether or not the ASA is responsible or whether the packet is coming from some other source, e.g. running a packet sniffer on the firewall to see if the packet is ever received?

James
  • 325
  • 2
  • 10
  • 22

1 Answers1

0

Yep. I would run Wireshark on a computer connected to the external ASA interface while simultaneously running it on the server. If the server receives a RST but the RST doesn't show up in Wireshark connected to the external interface then you know it's the firewall generating the RST. If the RST shows up in Wireshark connected to the external interface then you know the firewall isn't to blame.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • 2
    You might be able to achieve the same thing by running the packet capture on the ASA itself as the capture can be bound to a single interface, so setup one on the external and one on the internal interface. – James Yale Jul 12 '11 at 15:52
  • Does the ASA have the ability to run tcpdump or some other type of capture? – joeqwerty Jul 12 '11 at 15:54
  • Hi Joe. Thanks for coming back to me. I'm not sure what it means to have a computer on the ASA external interface - the firewall (and servers behind it) are hosted in a data center and as I understand it the external interface is simply the connection to the data centre routers for internal network/internet access..? – James Jul 12 '11 at 15:55
  • 1
    @Joe it actually does ... http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml – Zypher Jul 12 '11 at 15:57
  • @James: Typically you would plug the external interface into a switch, plug a laptop running Wireshark into the switch, plug the router internal interface into the switch, and configure port monitoring on the switch to mirror all traffic from the ASA connected port to the Wireshark connected port and run Wireshark on the laptop. There are a number of other ways to do it, dependent on the equipment and access that are available to you, but as Zypher pointed out, you can run a capture directly on the ASA so there's no need for any extraneous components/configurations. – joeqwerty Jul 12 '11 at 16:35
  • @JamesYale I've monitored both the internal and external interface. I receive the reset along with lots of other packets on the internal, however on the external I receive nothing at all. Is this because I'm connecting to the telnet server over VPN? How can I check if the reset is received through the VPN and then forwarded on as opposed generated by the ASA? – James Jul 12 '11 at 19:35