https://community.cisco.com/t5/network-security/teardown-tcp-connection/m-p/4841688#M1100780 <P>Hello Rob,</P><P>Thanks for the response.</P><P>I have two question to ask as I'm little bit confuse.</P><P>Q1 : What is the meaning of term <STRONG>Active Unit</STRONG>?</P><P>Q2 : Is the activity is questionable or I can consider in normal activity?&nbsp;</P> Wed, 24 May 2023 07:48:35 GMT priyalchavada 2023-05-24T07:48:35Z https://community.cisco.com/t5/network-security/teardown-tcp-connection/m-p/4841585#M1100776 <P>Hello Team,</P><P>I'm working as SOC analyst, I'm analyzing CISCO devices and i get one alert regarding&nbsp;Teardown TCP connection from CISCO FTD.</P><P>&nbsp;&lt;182&gt;May 24 2023 03:53:45 FTDP : %FTD-6-302014: Teardown TCP connection 259297712 for WAN_A:95.214.27.136/43134 to DMZ:172.16.100.4/5555 duration 0:00:30 bytes 0 Failover primary closed\n</P><P>&nbsp;</P><P>Can you please explain the exact scenario behind this event occure.</P> Wed, 24 May 2023 04:26:06 GMT https://community.cisco.com/t5/network-security/teardown-tcp-connection/m-p/4841585#M1100776 priyalchavada 2023-05-24T04:26:06Z https://community.cisco.com/t5/network-security/teardown-tcp-connection/m-p/4841647#M1100778 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1518733">@priyalchavada</a> the FTD SYSLOG messages are all documented. Your syslog message 302014 ID states the reason was - "The standby unit in a failover pair deleted a connection because of a message received from the active unit."</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs3.html#con_6941209" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs3.html#con_6941209</A></P> <H3 id="con_6941209__title_dfp_fcq_wbb" class="title topictitle3">302014</H3> <SECTION class="body conbody"> <P class="p"><STRONG class="ph b">Error Message</STRONG><CODE class="ph codeph"> %<SPAN class="ph">FTD</SPAN>-6-302014: Teardown [Probe] TCP connection&nbsp;id&nbsp;for&nbsp;interface&nbsp;:real-address&nbsp;/real-port&nbsp;[(idfw_user&nbsp;)] to&nbsp;interface&nbsp;:real-address&nbsp;/real-port&nbsp;[(idfw_user&nbsp;)] duration&nbsp;hh:mm:ss&nbsp;bytes&nbsp;bytes&nbsp;[reason [from teardown-initiator]] [(user&nbsp;)]</CODE></P> <P class="p"><STRONG class="ph b">Explanation</STRONG> A TCP connection between two hosts was deleted. The following list describes the message values:</P> <UL id="con_6941209__ul_B827A3848FD64FE880562A8929E855E5" class="ul"> <LI class="li"> <P class="p"><SPAN class="ph uicontrol">probe</SPAN>—Indicates the TCP connection is a probe connection<SPAN class="ph uicontrol">id</SPAN> —A unique identifier</P> </LI> <LI id="con_6941209__li_07548D6978D445DFBB57245E12CD955E" class="li"> <P class="p"><SPAN class="ph uicontrol">interface, real-address, real-port</SPAN>—The actual socket</P> </LI> <LI id="con_6941209__li_F0F00A2E758F47B1915C4094A425C7F7" class="li"> <P class="p"><SPAN class="ph uicontrol">duration</SPAN>—The lifetime of the connection</P> </LI> <LI id="con_6941209__li_476DD9A9014944428DD67311819D3C97" class="li"> <P class="p"><SPAN class="ph uicontrol">bytes</SPAN><EM class="ph i">—</EM> The data transfer of the connection</P> </LI> <LI id="con_6941209__li_4CBFDC7330504FDEAB3AA116AB6C302E" class="li"> <P class="p"><SPAN class="ph uicontrol">User</SPAN>—The AAA name of the user</P> </LI> <LI class="li"> <P class="p"><STRONG class="ph b">idfw_user</STRONG> —The name of the identity firewall user</P> </LI> <LI class="li"> <P class="p"><SPAN class="ph uicontrol">reason</SPAN>—The action that causes the connection to terminate. Set the <SPAN class="ph uicontrol">reason</SPAN> variable to one of the TCP termination reasons listed in the following table.</P> </LI> <LI class="li"> <P class="p"><STRONG class="ph b">teardown-initiator</STRONG>—Interface name of the side that initiated the teardown.</P> </LI> </UL> <DIV class="tableContainer"> <TABLE class="table" border="1" width="100%"><CAPTION><SPAN class="table--title-label tabletitle">Table 1. </SPAN><SPAN class="tabletitle">TCP Termination Reasons</SPAN></CAPTION><COLGROUP> <COL /> <COL /> </COLGROUP> <THEAD class="thead"> <TR> <TH id="con_6941209__entry__1" class="entry"> <P class="p">Reason</P> </TH> <TH id="con_6941209__entry__2" class="entry"> <P class="p">Description</P> </TH> </TR> </THEAD> <TBODY class="tbody"> <TR> <TD class="entry"> <P class="p">Conn-timeout</P> </TD> <TD class="entry"> <P class="p">The connection ended when a flow is closed because of the expiration of its inactivity timer.</P> </TD> </TR> <TR> <TD class="entry"> <P class="p">Deny Terminate</P> </TD> <TD class="entry"> <P class="p">Flow was terminated by application inspection.</P> </TD> </TR> <TR> <TD class="entry"> <P class="p">Failover primary closed</P> </TD> <TD class="entry"> <P class="p"><STRONG>The standby unit in a failover pair deleted a connection because of a message received from the active unit</STRONG>.</P> </TD> </TR> </TBODY> </TABLE> </DIV> </SECTION> Wed, 24 May 2023 06:55:19 GMT https://community.cisco.com/t5/network-security/teardown-tcp-connection/m-p/4841647#M1100778 Rob Ingram 2023-05-24T06:55:19Z https://community.cisco.com/t5/network-security/teardown-tcp-connection/m-p/4841688#M1100780 <P>Hello Rob,</P><P>Thanks for the response.</P><P>I have two question to ask as I'm little bit confuse.</P><P>Q1 : What is the meaning of term <STRONG>Active Unit</STRONG>?</P><P>Q2 : Is the activity is questionable or I can consider in normal activity?&nbsp;</P> Wed, 24 May 2023 07:48:35 GMT https://community.cisco.com/t5/network-security/teardown-tcp-connection/m-p/4841688#M1100780 priyalchavada 2023-05-24T07:48:35Z https://community.cisco.com/t5/network-security/teardown-tcp-connection/m-p/4846022#M1101052 <P>FW HA is two FW interconnect to each other is one failed the other will take place to forward inspect data traffic&nbsp;<BR />to see the right reason check the Log in active FW</P> Wed, 31 May 2023 01:19:24 GMT https://community.cisco.com/t5/network-security/teardown-tcp-connection/m-p/4846022#M1101052 MHM Cisco World 2023-05-31T01:19:24Z