SYN RESETs

josephpgonzalez
Conversationalist

SYN RESETs

Hello Meraki Community,

 

Lately we have had some weird occurrences with access to some websites, in this instance Github.com.  I've taken some captures and I see a ton of SYN Resets.  I have a case open with the Meraki team, but just wanted to bounce it off the team on here, since we have no idea what could be causing it.  We have outbound http and https allowed, so its not an access issue.  Plus, I'm not blocking it with any content filtering.  If anyone wants a crack at it, I'm all for it!  Thanks! Github.jpg 

3 REPLIES 3
PhilipDAth
Kind of a big deal
Kind of a big deal

This is typical of a simple access list not allowing the traffic.  It is also very typical of an IPS.

 

Do you have another IPS in your network (even if in layer 2 mode)?

 

Anything appear in your security event log in Meraki?

 

Are you running 15.x firmware on your MX?

I have no access lists in place currently.  Also, I'm just running the MX with IDS/IPS on Prevention and Balanced.  When I check the flow logs (sent to a syslog server), I see the traffic is allowed out, and it keeps repeating itself on different ports.  For example, if I go to a page using destination port 443, it will allow it, but the source port keeps changing every millisecond.

 

I'm running 14.39 on the MX and was told to try the beta, but being in production and getting an outage window is difficult sometimes, since it has to reboot after the upgrade.

Try turning IDS/IPS off for 5 minutes and see if the problem keeps happening.

 

I think this is mostly likely to be an issue upstream of you and not on the MX.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels