FWSM-no connection SYN ACK

原创

perlin 2012-08-31 10:41:26 博主文章分类：3-Network ©著作权

©著作权归作者所有：来自51CTO博客作者perlin的原创作品，请联系作者获取转载授权，否则将追究法律责任

错误日志：

FWSM-1(config)# show log as | in 15.225

6|Aug 31 2012 09:44:36|106015: Deny TCP (no connection) from 10.10.15.225/80 to 14.20.31.233/31073 flags SYN ACK on interface In-Internal_2

6|Aug 31 2012 09:44:37|106015: Deny TCP (no connection) from 10.10.15.225/80 to 14.20.31.233/31041 flags SYN ACK on interface In-Internal_2

6|Aug 31 2012 09:44:37|106015: Deny TCP (no connection) from 10.10.15.225/80 to 14.20.31.233/31169 flags SYN ACK on interface In-Internal_2

6|Aug 31 2012 09:44:37|106015: Deny TCP (no connection) from 10.10.15.225/80 to 14.20.31.233/31105 flags SYN ACK on interface In-Internal_2

6|Aug 31 2012 09:44:37|106015: Deny TCP (no connection) from 10.10.15.225/80 to 14.20.31.233/31137 flags SYN ACK on interface In-Internal_2

基本理解：

这个问题是说错误“没有连接” 　　　

出于某些原因,连接到web服务器被关闭。尝试做一个捕获,确定数据流发生问题所在。

FWSM-1(config)# access-list cap_acl permit tcp host 10.10.15.225 any

FWSM-1(config)# access-list cap-acl permit tcp any host 10.10.15.225

FWSM-1(config)# capture cap_traff access-list cap_acl in In-Internal_2

FWSM-1(config)# show capture cap_traff

12 packets seen, 12 packets captured

1: 10:00:01.1190680460 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57601: S 74049662:74049662(0) ack 2279964660 win 5840 <mss 1460,nop,nop,sackOK,nop,[|tcp]>

2: 10:00:01.1190680700 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57633: S 2044127287:2044127287(0) ack 75930879 win 5840 <mss 1460,nop,nop,sackOK,nop,[|tcp]>

3: 10:00:04.1190683450 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57601: S 74049662:74049662(0) ack 2279964660 win 5840 <mss 1460,nop,nop,sackOK,nop,[|tcp]>

4: 10:00:04.1190683700 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57633: S 2044127287:2044127287(0) ack 75930879 win 5840 <mss 1460,nop,nop,sackOK,nop,[|tcp]>

5: 10:00:05.1190684460 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57601: S 74049662:74049662(0) ack 2279964660 win 5840 <mss 1460,nop,nop,sackOK,nop,[|tcp]>

6: 10:00:05.1190685060 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57633: S 2044127287:2044127287(0) ack 75930879 win 5840 <mss 1460,nop,nop,sackOK,nop,[|tcp]>

7: 10:00:10.1190689460 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57601: S 74049662:74049662(0) ack 2279964660 win 5840 <mss 1460,nop,nop,sackOK,nop,[|tcp]>

8: 10:00:10.1190689710 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57633: S 2044127287:2044127287(0) ack 75930879 win 5840 <mss 1460,nop,nop,sackOK,nop,[|tcp]>

9: 10:00:11.1190690660 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57601: S 74049662:74049662(0) ack 2279964660 win 5840 <mss 1460,nop,nop,sackOK,nop,[|tcp]>

10: 10:00:11.1190691070 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57633: S 2044127287:2044127287(0) ack 75930879 win 5840 <mss 1460,nop,nop,sackOK,nop,[|tcp]>

11: 10:00:23.1190702670 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57601: S 74049662:74049662(0) ack 2279964660 win 5840 <mss 1460,nop,nop,sackOK,nop,[|tcp]>

12: 10:00:23.1190703070 802.1Q vlan#115 P0 10.10.15.225.80 > 14.20.31.233.57633: S 2044127287:2044127287(0) ack 75930879 win 5840 <mss 1460,nop,nop,sackOK,nop,[|tcp]>

12 packets shown

分析与结论：

从抓取的日志明显看出3次握手没有建立成功所以，即：

SYN: Outside --> Inside

SYN-ACK: Inside --> Outside

检查Inside --> Outside的路由和80端口是否放通。我的问题所在是上层策略路由给拒绝了。

MFSC-1(config)#ip access-list extended to_2901_port

MFSC-1(config-ext-nacl)#permit tcp host 10.10.15.225 any eq 80 //故障时做的策略

MFSC-1(config-ext-nacl)#permit tcp host 10.10.15.225 eq 80 any //错误所在，没有放通。

原以为在防火墙上出现有deny的日志变是自身策略或者路由所致，不断排查写的策略和测试。遇到该问题后我得承认以前的观点是错误的。杯具...