Solved: Re: ASA interface name and nameif are different

mahesh18 · ‎04-17-2013

Hi Everyone,

On one of ASA i have this config say

interface BCISCO

nameif CISCO

ip address 192.168.x.x 255.255.0.0 standby IP 192.168.x.x

Need to understand why we have interface and nameif different here?

Also when i try to access ASA by ASDM to ASA from internal network log shows

built inbound TCP connection for ASA interface.

So need to know whenever we access ASA from internal network it will say inbound connection?

Or there are some criteria that tells when connection is inbound to ASA?

Thanks

MAhesh

Jouni Forss · ‎04-17-2013

Hi,

Is this ASA running in Multiple Context Mode?

In the System Context space where you create a Security Context and use the "allocate-interface" command, it lets you give the interface a name instead of the typical interface type which you usually see.

The command might look something like this

context

allocate-interface BCISCO

Can you share the example log messages?

I would imagine that you are talking about the Syslog message with which the ASA tells that some host is connecting to the ASA with ASDM? Then it would be natural that the host is connecting an "inbound" connection to the ASA

- Jouni

View solution in original post

Jouni Forss · ‎04-17-2013

Also,

Here is the description of the log message which I assume you are seeing

Read the latter part of the below text to see the definition of "inbound" vs. "outbound"

302013

Error Message    %ASA-6-302013: Built {inbound|outbound} TCP connection_id for 
interface:real-address/real-port (mapped-address/mapped-port) to 
interface:real-address/real-port (mapped-address/mapped-port) [(user)]

Explanation A TCP connection slot between two hosts was created.

•connection_id —A unique identifier

•interface, real-address, real-port—The actual sockets

•mapped-address, mapped-port—The mapped sockets

•user—The AAA name of the user

If inbound is specified, the original control connection was initiated from the outside. For example, for FTP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified, the original control connection was initiated from the inside.

Recommended Action None required.

- Jouni

View solution in original post

Jouni Forss · ‎04-17-2013

Hi,

I cant say the reason for sure.

Seems to me that one connections is first built and then its teardown. Right after it another connection is built and teardown.

Here is one TCP connection building and teardown

67 2013/04/17 10:10:56.343 MST 192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.17/62285 to 192.168.100.12/443 flags FIN ACK on interface Net

66 2013/04/17 10:10:56.343 MST 192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-302014: Teardown TCP connection 11283684 for Net:192.168.100.17/62285 to identity:192.168.100.12/443 duration 0:00:03 bytes 381 TCP Reset-O

65 2013/04/17 10:10:56.343 MST 192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-605005: Login permitted from 192.168.100.17/62285 to Net:192.168.100.12/https for user "cisco"

62 2013/04/17 10:10:52.733 MST 192.168.100.12 Apr 17 2013 17:10:51: %ASA-6-302013: Built inbound TCP connection 11283684 for Net:192.168.100.17/62285 (192.168.100.17/62285) to identity:192.168.100.12/443 (192.168.100.12/443)

Here is the next connection building and teardown

71 2013/04/17 10:10:59.640 MST 192.168.100.12 Apr 17 2013 17:10:58: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.17/62286 to 192.168.100.12/443 flags FIN ACK on interface Net

70 2013/04/17 10:10:59.640 MST 192.168.100.12 Apr 17 2013 17:10:58: %ASA-6-302014: Teardown TCP connection 11283774 for Net:192.168.100.17/62286 to identity:192.168.100.12/443 duration 0:00:03 bytes 381 TCP Reset-O

69 2013/04/17 10:10:59.640 MST 192.168.100.12 Apr 17 2013 17:10:58: %ASA-6-605005: Login permitted from 192.168.100.17/62286 to Net:192.168.100.12/https for user "cisco"

68 2013/04/17 10:10:56.343 MST 192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-302013: Built inbound TCP connection 11283774 for Net:192.168.100.17/62286 (192.168.100.17/62286) to identity:192.168.100.12/443 (192.168.100.12/443)

In both cases it seems to me that the ASA has already removed the connection when the host is still in the process of closing the connection.

- Jouni

View solution in original post

Jouni Forss · ‎04-17-2013

Hi,

Is this ASA running in Multiple Context Mode?

In the System Context space where you create a Security Context and use the "allocate-interface" command, it lets you give the interface a name instead of the typical interface type which you usually see.

The command might look something like this

context

allocate-interface BCISCO

Can you share the example log messages?

I would imagine that you are talking about the Syslog message with which the ASA tells that some host is connecting to the ASA with ASDM? Then it would be natural that the host is connecting an "inbound" connection to the ASA

- Jouni

mahesh18 · ‎04-17-2013

Hi Jouni,

yes it is in context mode

72 2013/04/17 10:10:59.640 MST 192.168.100.12 Apr 17 2013 17:10:58: %ASA-6-302013: Built inbound TCP connection 11283929 for Net:192.168.100.17/62287 (192.168.100.17/62287) to identity:192.168.100.12/443 (192.168.100.12/443)

71 2013/04/17 10:10:59.640 MST 192.168.100.12 Apr 17 2013 17:10:58: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.17/62286 to 192.168.100.12/443 flags FIN ACK on interface Net

70 2013/04/17 10:10:59.640 MST 192.168.100.12 Apr 17 2013 17:10:58: %ASA-6-302014: Teardown TCP connection 11283774 for Net:192.168.100.17/62286 to identity:192.168.100.12/443 duration 0:00:03 bytes 381 TCP Reset-O

69 2013/04/17 10:10:59.640 MST 192.168.100.12 Apr 17 2013 17:10:58: %ASA-6-605005: Login permitted from 192.168.100.17/62286 to Net:192.168.100.12/https for user "cisco"

68 2013/04/17 10:10:56.343 MST 192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-302013: Built inbound TCP connection 11283774 for Net:192.168.100.17/62286 (192.168.100.17/62286) to identity:192.168.100.12/443 (192.168.100.12/443)

67 2013/04/17 10:10:56.343 MST 192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.17/62285 to 192.168.100.12/443 flags FIN ACK on interface Net

66 2013/04/17 10:10:56.343 MST 192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-302014: Teardown TCP connection 11283684 for Net:192.168.100.17/62285 to identity:192.168.100.12/443 duration 0:00:03 bytes 381 TCP Reset-O

65 2013/04/17 10:10:56.343 MST 192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-605005: Login permitted from 192.168.100.17/62285 to Net:192.168.100.12/https for user "cisco"

64 2013/04/17 10:10:56.343 MST 192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-606001: ASDM session number 0 from 192.168.100.17 started

63 2013/04/17 10:10:56.343 MST 192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-605005: Login permitted from 192.168.100.17/62284 to Net:192.168.100.12/https for user "cisco"

62 2013/04/17 10:10:52.733 MST 192.168.100.12 Apr 17 2013 17:10:51: %ASA-6-302013: Built inbound TCP connection 11283684 for Net:192.168.100.17/62285 (192.168.100.17/62285) to identity:192.168.100.12/443 (192.168.100.12/443)

61 2013/04/17 10:10:52.718 MST 192.168.100.12 Apr 17 2013 17:10:51: %ASA-6-302013: Built inbound TCP connection 11283681 for Net:192.168.100.17/62284 (192.168.100.17/62284) to identity:192.168.100.12/443 (192.168.100.12/443)

60 2013/04/17 10:10:52.515 MST 192.168.100.12 Apr 17 2013 17:10:51: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.17/62283 to 192.168.100.12/443 flags FIN ACK on interface Net

59 2013/04/17 10:10:52.515 MST 192.168.100.12 Apr 17 2013 17:10:51: %ASA-6-302014: Teardown TCP connection 11283636 for Net:192.168.100.17/62283 to identity:192.168.100.12/443 duration 0:00:02 bytes 806 TCP Reset-O

58 2013/04/17 10:10:52.515 MST 192.168.100.12 Apr 17 2013 17:10:51: %ASA-6-605005: Login permitted from 192.168.100.17/62283 to Net:192.168.100.12/https for user "cisco"

57 2013/04/17 10:10:52.358 MST 192.168.100.12 Apr 17 2013 17:10:51: %ASA-6-606003: ASDM logging session number 0 from 192.168.100.17 started

56 2013/04/17 10:10:52.358 MST 192.168.100.12 Apr 17 2013 17:10:51: %ASA-6-605005: Login permitted from 192.168.100.17/62282 to Net:192.168.100.12/https for user "cisco"

55 2013/04/17 10:10:50.374 MST 192.168.100.12 Apr 17 2013 17:10:49: %ASA-6-302013: Built inbound TCP connection 11283636 for Net:192.168.100.17/62283 (192.168.100.17/62283) to identity:192.168.100.12/443 (192.168.100.12/443)

54 2013/04/17 10:10:50.140 MST 192.168.100.12 Apr 17 2013 17:10:49: %ASA-6-302013: Built inbound TCP connection 11283629 for Net:192.168.100.17/62282 (192.168.100.17/62282) to identity:192.168.100.12/443 (192.168.100.12/443)

53 2013/04/17 10:10:50.108 MST 192.168.100.12 Apr 17 2013 17:10:49: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.17/62281 to 192.168.100.12/443 flags FIN ACK on interface Net

52 2013/04/17 10:10:50.108 MST 192.168.100.12 Apr 17 2013 17:10:49: %ASA-6-302014: Teardown TCP connection 11283529 for Net:192.168.100.17/62281 to identity:192.168.100.12/443 duration 0:00:02 bytes 3107 TCP Reset-O

51 2013/04/17 10:10:49.937 MST 192.168.100.12 Apr 17 2013 17:10:49: %ASA-6-605005: Login permitted from 192.168.100.17/62281 to Net:192.168.100.12/https for user "cisco"

50 2013/04/17 10:10:47.640 MST 192.168.100.12 Apr 17 2013 17:10:46: %ASA-6-302013: Built inbound TCP connection 11283529 for Net:192.168.100.17/62281 (192.168.100.17/62281) to identity:192.168.100.12/443 (192.168.100.12/443)

Where interface NET is ASA interface with IP 192.168.100.12

192.168.100.17 is MY PC IP

This is log while i access the ASA by https.

Can you please tell in logs why it has repeat logs for example

ASDM logging session started it has this line 2 times

Thanks

MAhesh

Jouni Forss · ‎04-17-2013

Hi,

I cant say the reason for sure.

Seems to me that one connections is first built and then its teardown. Right after it another connection is built and teardown.

Here is one TCP connection building and teardown

67 2013/04/17 10:10:56.343 MST 192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.17/62285 to 192.168.100.12/443 flags FIN ACK on interface Net

66 2013/04/17 10:10:56.343 MST 192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-302014: Teardown TCP connection 11283684 for Net:192.168.100.17/62285 to identity:192.168.100.12/443 duration 0:00:03 bytes 381 TCP Reset-O

65 2013/04/17 10:10:56.343 MST 192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-605005: Login permitted from 192.168.100.17/62285 to Net:192.168.100.12/https for user "cisco"

62 2013/04/17 10:10:52.733 MST 192.168.100.12 Apr 17 2013 17:10:51: %ASA-6-302013: Built inbound TCP connection 11283684 for Net:192.168.100.17/62285 (192.168.100.17/62285) to identity:192.168.100.12/443 (192.168.100.12/443)

Here is the next connection building and teardown

71 2013/04/17 10:10:59.640 MST 192.168.100.12 Apr 17 2013 17:10:58: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.17/62286 to 192.168.100.12/443 flags FIN ACK on interface Net

70 2013/04/17 10:10:59.640 MST 192.168.100.12 Apr 17 2013 17:10:58: %ASA-6-302014: Teardown TCP connection 11283774 for Net:192.168.100.17/62286 to identity:192.168.100.12/443 duration 0:00:03 bytes 381 TCP Reset-O

69 2013/04/17 10:10:59.640 MST 192.168.100.12 Apr 17 2013 17:10:58: %ASA-6-605005: Login permitted from 192.168.100.17/62286 to Net:192.168.100.12/https for user "cisco"

68 2013/04/17 10:10:56.343 MST 192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-302013: Built inbound TCP connection 11283774 for Net:192.168.100.17/62286 (192.168.100.17/62286) to identity:192.168.100.12/443 (192.168.100.12/443)

In both cases it seems to me that the ASA has already removed the connection when the host is still in the process of closing the connection.

- Jouni

Jouni Forss · ‎04-17-2013

Also,

Here is the description of the log message which I assume you are seeing

Read the latter part of the below text to see the definition of "inbound" vs. "outbound"

302013

Error Message    %ASA-6-302013: Built {inbound|outbound} TCP connection_id for 
interface:real-address/real-port (mapped-address/mapped-port) to 
interface:real-address/real-port (mapped-address/mapped-port) [(user)]

Explanation A TCP connection slot between two hosts was created.

•connection_id —A unique identifier

•interface, real-address, real-port—The actual sockets

•mapped-address, mapped-port—The mapped sockets

•user—The AAA name of the user

If inbound is specified, the original control connection was initiated from the outside. For example, for FTP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified, the original control connection was initiated from the inside.

Recommended Action None required.

- Jouni

mahesh18 · ‎04-18-2013

Thanks a lot Jouni,

Regards

MAhesh