11-13-2015 12:57 AM
i currently try to implement a session ACL that actively sends a reject to a TCP-Connection instead of just dropping the traffic so that the user's trying to access this service out of a wrong network have long timeouts and get a reject instantly.
And i didn't get it working. So i implemented a test-acl in my lab looking:
ip access-list session my-test-acl any user svc-icmp permit any any svc-icmp permit any any svc-https deny send-deny-response !
To reject all traffic to port 443. A web browser shows the same behaviour (it takes a very long time until a error is shown up) than the other app. So i started wireshark to examine it a bit and wireshark shows this:
Initially i expected some ICMP packet to be sent from the aruba controller stating that the services is not reachable, but instead it seems that the controller answers with a TCP RST packet - but this packet seems to be malformed and so the client just drops it instead of processing it.
Did i miss something or is this the wrong way to 'reject' a TCP connection? Tried this with 126.96.36.199 and 188.8.131.52.
Thanks & Bye,