This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Trace from Public to Firewall - Lync 2013

0

Hi- New to wireshark. Troubleshooting access to a Reverse Proxy server through firewall. This is for a Lync 2013 deployment. My Reverse Proxy is sitting in my DMZ. I am using NAT on a Cisco ASA 5510. The public IP is 67.136.135.233. I can access the RP from within the DMZ and all Lync functions appear to work as expected. I CANNOT access this server from outside the firewall. All Lync-related objects/rules appear to be set up correctly on the ASA...

PLEASE... Can you read my log and tell me what's going on? [I'm using a laptop connected through a mobile hotspot to run Wireshark]

No. Time    Source  Destination Protocol    Length  Info
41  39.929778   IntelCor_53:69:b6   Broadcast   ARP 42  Who has 192.168.43.1?  Tell 192.168.43.154

42  39.974162   SamsungE_0a:f5:a4   IntelCor_53:69:b6   ARP 42  192.168.43.1 is at 34:23:ba:0a:f5:a4


43  39.974474   192.168.43.154  67.136.135.233  TCP 66  49557 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1


44  40.18278    192.168.43.154  67.136.135.233  TCP 66  49558 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1


45  42.922161   192.168.43.154  67.136.135.233  TCP 66  [TCP Retransmission] 49557 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1


46  43.182483   192.168.43.154  67.136.135.233  TCP 66  [TCP Retransmission] 49558 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1


47  47.750547   IntelCor_53:69:b6   SamsungE_0a:f5:a4   ARP 42  Who has 192.168.43.1?  Tell 192.168.43.154


48  47.807485   SamsungE_0a:f5:a4   IntelCor_53:69:b6   ARP 42  192.168.43.1 is at 34:23:ba:0a:f5:a4


49  48.923489   192.168.43.154  67.136.135.233  TCP 62  [TCP Retransmission] 49557 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1


50  49.188817   192.168.43.154  67.136.135.233  TCP 62  [TCP Retransmission] 49558 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1


51  61.181722   192.168.43.154  67.136.135.233  TCP 66  49559 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1


52  64.183307   192.168.43.154  67.136.135.233  TCP 66  [TCP Retransmission] 49559 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1


53  64.37699    192.168.43.154  192.168.43.1    DNS 76  Standard query 0x0238  A dns.msftncsi.com


54  64.430653   192.168.43.1    192.168.43.154  DNS 92  Standard query response 0x0238  A 131.107.255.255


55  69.249998   IntelCor_53:69:b6   SamsungE_0a:f5:a4   ARP 42  Who has 192.168.43.1?  Tell 192.168.43.154


56  69.291325   SamsungE_0a:f5:a4   IntelCor_53:69:b6   ARP 42  192.168.43.1 is at 34:23:ba:0a:f5:a4


57  70.183769   192.168.43.154  67.136.135.233  TCP 62  [TCP Retransmission] 49559 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1


58  82.186157   192.168.43.154  67.136.135.233  TCP 66  49560 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1


59  82.4369 192.168.43.154  67.136.135.233  TCP 66  49561 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1


60  82.522134   192.168.43.154  192.168.43.255  NBNS    92  Name query NB WPAD<00>


61  82.522697   192.168.43.154  224.0.0.252 LLMNR   64  Standard query 0x80b0  A wpad


62  82.523107   192.168.43.154  224.0.0.252 LLMNR   64  Standard query 0x914f  AAAA
wpad
63  82.933491   192.168.43.154  224.0.0.252 LLMNR   64  Standard query 0x80b0  A wpad


64  82.933502   192.168.43.154  224.0.0.252 LLMNR   64  Standard query 0x914f  AAAA wpad


65  83.272728   192.168.43.154  192.168.43.255  NBNS    92  Name query NB WPAD<00>


66  84.02534    192.168.43.154  192.168.43.255  NBNS    92  Name query NB WPAD<00>


67  85.188314   192.168.43.154  67.136.135.233  TCP 66  [TCP Retransmission] 49560 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1


68  85.437492   192.168.43.154  67.136.135.233  TCP 66  [TCP Retransmission] 49561 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1


69  90.249988   IntelCor_53:69:b6   SamsungE_0a:f5:a4   ARP 42  Who has 192.168.43.1?  Tell 192.168.43.154


70  90.30039    SamsungE_0a:f5:a4   IntelCor_53:69:b6   ARP 42  192.168.43.1 is at 34:23:ba:0a:f5:a4


71  91.183634   192.168.43.154  67.136.135.233  TCP 62  [TCP Retransmission] 49560 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1


72  91.437979   192.168.43.154  67.136.135.233  TCP 62  [TCP Retransmission] 49561 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1


73  94.376815   192.168.43.154  192.168.43.1    DNS 76  Standard query 0x19c9  A dns.msftncsi.com


74  94.532964   192.168.43.154  192.168.43.1    DNS 76  Standard query 0x19c9  A dns.msftncsi.com


75  94.612641   192.168.43.1    192.168.43.154  DNS 92  Standard query response 0x19c9  A 131.107.255.255

asked 25 Nov ‘14, 11:22

SteveSmo's gravatar image

SteveSmo
11112
accept rate: 0%

edited 27 Nov ‘14, 15:25

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237

One Answer:

0

As you can see, there are multiple attempts to connect to port 443 (SYN frames), but there is no SYN-ACK. As you mentioned the ASA firewall, there is either no rule that allows the traffic or nor NAT (DNAT) that translates the traffic for 67.136.135.233:443 to the internal address. Please check the firewall log.

Regards
Kurt

answered 27 Nov '14, 15:30

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Doh!!! Everything on the firewall was set up correctly. ISSUE was that the interface for the external NIC on the VM server was incorrect. Changed to correct interface resolved issue. Thanks to all for your input.

(02 Dec '14, 11:14) SteveSmo