Sven Aluoor wrote:
> Hi folks
>
> I have here a box with Cisco's IOS which makes SCEP (Simple
> Certificate Enrollment Protocol) request with Dst Port 446 to a
> Solaris box with RSA Keon.
>
> Apache is listening:
>
> $ netstat -an | grep 446
> *.446 *.* 0 0 49152 0 LISTEN
>
> nothing in layer 7 log files:
>
> $ ls -lrt scep-*
> -rw-r----- 1 root root 0 Jan 20 2008 scep-error.log
> -rw-r----- 1 root root 0 Jan 20 2008 scep-access.log
>
> snoop output (analyzed with Wireshark, see screenshot[0]).
>
> I see that the source sends a SYN package and the destination box
> answers with Reset. How to see if the reset comes from application
> (RSA Keon) or the UNIX Box? I guess it is not the application because
> of empty log file. Any other hints on troubleshooting this?
Leaving out the IP addresses makes it harder to debug. Are the two
devices on the same subnet? Is there some horribly convoluted routing
between them, maybe including firewalls?
The RST must be coming from the operating system(1). The application
does not even know about the conversation until the three way handshake
is complete. The minimum you would see if it was the app would be SYN->,
<-SYN+ACK, ACK->, RST->
Could it be that IOS does not like the MSS coming back from the other
end? The MSS in the outbound SYN is 536. The MSS in the response SYN is
1460. Can you put a static route in Solaris to tell it the MSS on the
link to the Cisco is 536 and see if that fixes it?
Andrew
(1) unless IOS supports eager listeners which I doubt.
--
There's no point in being grown up if you can't be childish sometimes.
-- Dr. Who
