This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Trace from Public to Firewall - Lync 2013

0

Hi- New to wireshark. Troubleshooting access to a Reverse Proxy server through firewall. This is for a Lync 2013 deployment. My Reverse Proxy is sitting in my DMZ. I am using NAT on a Cisco ASA 5510. The public IP is 67.136.135.233. I can access the RP from within the DMZ and all Lync functions appear to work as expected. I CANNOT access this server from outside the firewall. All Lync-related objects/rules appear to be set up correctly on the ASA...

PLEASE... Can you read my log and tell me what's going on? [I'm using a laptop connected through a mobile hotspot to run Wireshark]

No. Time    Source  Destination Protocol    Length  Info
41  39.929778   IntelCor_53:69:b6   Broadcast   ARP 42  Who has 192.168.43.1?  Tell 192.168.43.154

42 39.974162 SamsungE_0a:f5:a4 IntelCor_53:69:b6 ARP 42 192.168.43.1 is at 34:23:ba:0a:f5:a4

43 39.974474 192.168.43.154 67.136.135.233 TCP 66 49557 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

44 40.18278 192.168.43.154 67.136.135.233 TCP 66 49558 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

45 42.922161 192.168.43.154 67.136.135.233 TCP 66 [TCP Retransmission] 49557 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

46 43.182483 192.168.43.154 67.136.135.233 TCP 66 [TCP Retransmission] 49558 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

47 47.750547 IntelCor_53:69:b6 SamsungE_0a:f5:a4 ARP 42 Who has 192.168.43.1? Tell 192.168.43.154

48 47.807485 SamsungE_0a:f5:a4 IntelCor_53:69:b6 ARP 42 192.168.43.1 is at 34:23:ba:0a:f5:a4

49 48.923489 192.168.43.154 67.136.135.233 TCP 62 [TCP Retransmission] 49557 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1

50 49.188817 192.168.43.154 67.136.135.233 TCP 62 [TCP Retransmission] 49558 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1

51 61.181722 192.168.43.154 67.136.135.233 TCP 66 49559 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

52 64.183307 192.168.43.154 67.136.135.233 TCP 66 [TCP Retransmission] 49559 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

53 64.37699 192.168.43.154 192.168.43.1 DNS 76 Standard query 0x0238 A dns.msftncsi.com

54 64.430653 192.168.43.1 192.168.43.154 DNS 92 Standard query response 0x0238 A 131.107.255.255

55 69.249998 IntelCor_53:69:b6 SamsungE_0a:f5:a4 ARP 42 Who has 192.168.43.1? Tell 192.168.43.154

56 69.291325 SamsungE_0a:f5:a4 IntelCor_53:69:b6 ARP 42 192.168.43.1 is at 34:23:ba:0a:f5:a4

57 70.183769 192.168.43.154 67.136.135.233 TCP 62 [TCP Retransmission] 49559 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1

58 82.186157 192.168.43.154 67.136.135.233 TCP 66 49560 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

59 82.4369 192.168.43.154 67.136.135.233 TCP 66 49561 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

60 82.522134 192.168.43.154 192.168.43.255 NBNS 92 Name query NB WPAD<00>

61 82.522697 192.168.43.154 224.0.0.252 LLMNR 64 Standard query 0x80b0 A wpad

62 82.523107 192.168.43.154 224.0.0.252 LLMNR 64 Standard query 0x914f AAAA wpad 63 82.933491 192.168.43.154 224.0.0.252 LLMNR 64 Standard query 0x80b0 A wpad

64 82.933502 192.168.43.154 224.0.0.252 LLMNR 64 Standard query 0x914f AAAA wpad

65 83.272728 192.168.43.154 192.168.43.255 NBNS 92 Name query NB WPAD<00>

66 84.02534 192.168.43.154 192.168.43.255 NBNS 92 Name query NB WPAD<00>

67 85.188314 192.168.43.154 67.136.135.233 TCP 66 [TCP Retransmission] 49560 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

68 85.437492 192.168.43.154 67.136.135.233 TCP 66 [TCP Retransmission] 49561 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

69 90.249988 IntelCor_53:69:b6 SamsungE_0a:f5:a4 ARP 42 Who has 192.168.43.1? Tell 192.168.43.154

70 90.30039 SamsungE_0a:f5:a4 IntelCor_53:69:b6 ARP 42 192.168.43.1 is at 34:23:ba:0a:f5:a4

71 91.183634 192.168.43.154 67.136.135.233 TCP 62 [TCP Retransmission] 49560 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1

72 91.437979 192.168.43.154 67.136.135.233 TCP 62 [TCP Retransmission] 49561 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1

73 94.376815 192.168.43.154 192.168.43.1 DNS 76 Standard query 0x19c9 A dns.msftncsi.com

74 94.532964 192.168.43.154 192.168.43.1 DNS 76 Standard query 0x19c9 A dns.msftncsi.com

75 94.612641 192.168.43.1 192.168.43.154 DNS 92 Standard query response 0x19c9 A 131.107.255.255

asked 25 Nov ‘14, 11:22

SteveSmo's gravatar image

SteveSmo
11112
accept rate: 0%

edited 27 Nov ‘14, 15:25

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237


One Answer:

0

As you can see, there are multiple attempts to connect to port 443 (SYN frames), but there is no SYN-ACK. As you mentioned the ASA firewall, there is either no rule that allows the traffic or nor NAT (DNAT) that translates the traffic for 67.136.135.233:443 to the internal address. Please check the firewall log.

Regards
Kurt

answered 27 Nov '14, 15:30

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Doh!!! Everything on the firewall was set up correctly. ISSUE was that the interface for the external NIC on the VM server was incorrect. Changed to correct interface resolved issue. Thanks to all for your input.

(02 Dec '14, 11:14) SteveSmo