Cisco ASA 0 SYN Timeout

The following solution was found here: http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807c35e7.shtml

I was having issues connecting to my load balancers and we seeing in the Cisco logs that the TCP connection was being built but then getting torn down with the following error:

Teardown TCP connection 90 for outside:172.22.1.1/80 to inside:192.168.1.50/1107 duration 0:00:30 bytes 0 SYN Timeout

The syslog message indicates the connection closed because the of SYN timeout. This tells the administrator that no application X server responses were received by the ASA. Syslog message termination reasons can vary.

The SYN timeout gets logged because of a forced connection termination after 30 seconds that occurs after the three-way handshake completion. This issue usually occurs if the server fails to respond to a connection request, and, in most cases, is not related to the configuration on PIX/ASA.

Sure enough my load balancers had an incorrect default gateway!

Cisco ASA Active/Standby Failover

NOTE: Use these instructions at your own risk!!! They were performed on a Dev environment and not production env.

Here are brief instructions on how to configure a LAN based Active/Standby failover for a Cisco ASA 5510 series. The interfaces are as follows:

Note: the IP addresses were picked at random and are just for example purposes only

int Ethernet0/0: 129.136.22.0/29 (For ASA1 .1 and ASA2 .2)

int Ethernet0/1: 77.127.246.0/25 (For ASA1 .1 and ASA2 .2)

int Ethernet0/2: 192.168.10.0/24 (For ASA1 .1 and ASA2 .2)

int Ethernet0/3 (Failover LAN interface)

On the primary unit run the following commands:

# conf t

(config)# conf interface Ethernet0/0

(config-if)# ip address 129.136.22.1 255.255.255.248 standby 129.136.22.2

(config-if)# Ctrl-Z

# conf t

(config)# conf interface Ethernet0/1

(config-if)# ip address 77.127.246.1 255.255.255.128 standby 77.127.246.2

(config-if)# Ctrl-Z

# conf t

(config)# conf interface Ethernet0/2

(config-if)# ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2

(config-if)# Ctrl-Z

# conf t

(config)# conf interface Ethernet0/3

(config-if)# description LAN Failover Interface

Before configuring anything else on the primary make sure to configure the above commands on the secondary first!!!

On the secondary unit:

# conf t

(config)# failover

(config)# failover lan unit secondary

(config)# failover lan interface FailoverLinkName Ethernet0/3

(config)# failover key ************

(config)# failover interface ip FailoverLinkName 1.1.1.1 2552.55.255.252 standby 1.1.1.2

Note: If you don’t want to monitor an interface for failure use the next command:

(config)# no monitor-interface InterfaceName

Now back over to the primary unit:

# conf t

(config)# failover

(config)# failover lan unit primary

(config)# failover lan interface FailoverLinkName Ethernet0/3

(config)# failover key ************

(config)# failover interface ip FailoverLinkName 1.1.1.1 2552.55.255.252 standby 1.1.1.2

Note: If you don’t want to monitor an interface for failure use the next command:

(config)# no monitor-interface InterfaceName

You should see a statement from the device saying something like syncing from primary or something like that.

Enable SNMPv3 Cisco ASA

By running the following commands, you can enable SNMPv3 on a Cisco ASA 5510.

Every user needs a group: snmp-server group v3-priv v3 priv

Set a password for the user: snmp-server user snmp_user v3-priv v3 auth md5 snmp_password priv des snmp_password

Restrict snmp polls, queries to a specific server: snmp-server host inside IP.Address poll version 3 snmp_user