04-17-2013 09:58 AM - edited 03-11-2019 06:30 PM
Hi Everyone,
On one of ASA i have this config say
interface BCISCO
nameif CISCO
ip address 192.168.x.x 255.255.0.0 standby IP 192.168.x.x
Need to understand why we have interface and nameif different here?
Also when i try to access ASA by ASDM to ASA from internal network log shows
built inbound TCP connection for ASA interface.
So need to know whenever we access ASA from internal network it will say inbound connection?
Or there are some criteria that tells when connection is inbound to ASA?
Thanks
MAhesh
Solved! Go to Solution.
04-17-2013 10:01 AM
Hi,
Is this ASA running in Multiple Context Mode?
In the System Context space where you create a Security Context and use the "allocate-interface" command, it lets you give the interface a name instead of the typical interface type which you usually see.
The command might look something like this
context
allocate-interface
Can you share the example log messages?
I would imagine that you are talking about the Syslog message with which the ASA tells that some host is connecting to the ASA with ASDM? Then it would be natural that the host is connecting an "inbound" connection to the ASA
- Jouni
04-17-2013 10:10 AM
Also,
Here is the description of the log message which I assume you are seeing
Read the latter part of the below text to see the definition of "inbound" vs. "outbound"
302013
Error Message %ASA-6-302013: Built {inbound|outbound} TCP connection_id for interface:real-address/real-port (mapped-address/mapped-port) to interface:real-address/real-port (mapped-address/mapped-port) [(user)]Explanation A TCP connection slot between two hosts was created.
•
connection_id —A unique identifier
•
interface, real-address, real-port—The actual sockets
•
mapped-address, mapped-port—The mapped sockets
•
user—The AAA name of the user
If inbound is specified, the original control connection was initiated from the outside. For example, for FTP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified, the original control connection was initiated from the inside.
Recommended Action None required.
- Jouni
04-17-2013 10:46 AM
Hi,
I cant say the reason for sure.
Seems to me that one connections is first built and then its teardown. Right after it another connection is built and teardown.
Here is one TCP connection building and teardown
67 2013/04/17 10:10:56.343 MST 192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.17/62285 to 192.168.100.12/443 flags FIN ACK on interface Net
66 2013/04/17 10:10:56.343 MST 192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-302014: Teardown TCP connection 11283684 for Net:192.168.100.17/62285 to identity:192.168.100.12/443 duration 0:00:03 bytes 381 TCP Reset-O
65 2013/04/17 10:10:56.343 MST 192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-605005: Login permitted from 192.168.100.17/62285 to Net:192.168.100.12/https for user "cisco"
62 2013/04/17 10:10:52.733 MST 192.168.100.12 Apr 17 2013 17:10:51: %ASA-6-302013: Built inbound TCP connection 11283684 for Net:192.168.100.17/62285 (192.168.100.17/62285) to identity:192.168.100.12/443 (192.168.100.12/443)
Here is the next connection building and teardown
71 2013/04/17 10:10:59.640 MST 192.168.100.12 Apr 17 2013 17:10:58: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.17/62286 to 192.168.100.12/443 flags FIN ACK on interface Net
70 2013/04/17 10:10:59.640 MST 192.168.100.12 Apr 17 2013 17:10:58: %ASA-6-302014: Teardown TCP connection 11283774 for Net:192.168.100.17/62286 to identity:192.168.100.12/443 duration 0:00:03 bytes 381 TCP Reset-O
69 2013/04/17 10:10:59.640 MST 192.168.100.12 Apr 17 2013 17:10:58: %ASA-6-605005: Login permitted from 192.168.100.17/62286 to Net:192.168.100.12/https for user "cisco"
68 2013/04/17 10:10:56.343 MST 192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-302013: Built inbound TCP connection 11283774 for Net:192.168.100.17/62286 (192.168.100.17/62286) to identity:192.168.100.12/443 (192.168.100.12/443)
In both cases it seems to me that the ASA has already removed the connection when the host is still in the process of closing the connection.
- Jouni
04-17-2013 10:01 AM
Hi,
Is this ASA running in Multiple Context Mode?
In the System Context space where you create a Security Context and use the "allocate-interface" command, it lets you give the interface a name instead of the typical interface type which you usually see.
The command might look something like this
context
allocate-interface
Can you share the example log messages?
I would imagine that you are talking about the Syslog message with which the ASA tells that some host is connecting to the ASA with ASDM? Then it would be natural that the host is connecting an "inbound" connection to the ASA
- Jouni
04-17-2013 10:25 AM
Hi Jouni,
yes it is in context mode
72 2013/04/17 10:10:59.640 MST 192.168.100.12 Apr 17 2013 17:10:58: %ASA-6-302013: Built inbound TCP connection 11283929 for Net:192.168.100.17/62287 (192.168.100.17/62287) to identity:192.168.100.12/443 (192.168.100.12/443)
71 2013/04/17 10:10:59.640 MST 192.168.100.12 Apr 17 2013 17:10:58: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.17/62286 to 192.168.100.12/443 flags FIN ACK on interface Net
70 2013/04/17 10:10:59.640 MST 192.168.100.12 Apr 17 2013 17:10:58: %ASA-6-302014: Teardown TCP connection 11283774 for Net:192.168.100.17/62286 to identity:192.168.100.12/443 duration 0:00:03 bytes 381 TCP Reset-O
69 2013/04/17 10:10:59.640 MST 192.168.100.12 Apr 17 2013 17:10:58: %ASA-6-605005: Login permitted from 192.168.100.17/62286 to Net:192.168.100.12/https for user "cisco"
68 2013/04/17 10:10:56.343 MST 192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-302013: Built inbound TCP connection 11283774 for Net:192.168.100.17/62286 (192.168.100.17/62286) to identity:192.168.100.12/443 (192.168.100.12/443)
67 2013/04/17 10:10:56.343 MST 192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.17/62285 to 192.168.100.12/443 flags FIN ACK on interface Net
66 2013/04/17 10:10:56.343 MST 192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-302014: Teardown TCP connection 11283684 for Net:192.168.100.17/62285 to identity:192.168.100.12/443 duration 0:00:03 bytes 381 TCP Reset-O
65 2013/04/17 10:10:56.343 MST 192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-605005: Login permitted from 192.168.100.17/62285 to Net:192.168.100.12/https for user "cisco"
64 2013/04/17 10:10:56.343 MST 192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-606001: ASDM session number 0 from 192.168.100.17 started
63 2013/04/17 10:10:56.343 MST 192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-605005: Login permitted from 192.168.100.17/62284 to Net:192.168.100.12/https for user "cisco"
62 2013/04/17 10:10:52.733 MST 192.168.100.12 Apr 17 2013 17:10:51: %ASA-6-302013: Built inbound TCP connection 11283684 for Net:192.168.100.17/62285 (192.168.100.17/62285) to identity:192.168.100.12/443 (192.168.100.12/443)
61 2013/04/17 10:10:52.718 MST 192.168.100.12 Apr 17 2013 17:10:51: %ASA-6-302013: Built inbound TCP connection 11283681 for Net:192.168.100.17/62284 (192.168.100.17/62284) to identity:192.168.100.12/443 (192.168.100.12/443)
60 2013/04/17 10:10:52.515 MST 192.168.100.12 Apr 17 2013 17:10:51: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.17/62283 to 192.168.100.12/443 flags FIN ACK on interface Net
59 2013/04/17 10:10:52.515 MST 192.168.100.12 Apr 17 2013 17:10:51: %ASA-6-302014: Teardown TCP connection 11283636 for Net:192.168.100.17/62283 to identity:192.168.100.12/443 duration 0:00:02 bytes 806 TCP Reset-O
58 2013/04/17 10:10:52.515 MST 192.168.100.12 Apr 17 2013 17:10:51: %ASA-6-605005: Login permitted from 192.168.100.17/62283 to Net:192.168.100.12/https for user "cisco"
57 2013/04/17 10:10:52.358 MST 192.168.100.12 Apr 17 2013 17:10:51: %ASA-6-606003: ASDM logging session number 0 from 192.168.100.17 started
56 2013/04/17 10:10:52.358 MST 192.168.100.12 Apr 17 2013 17:10:51: %ASA-6-605005: Login permitted from 192.168.100.17/62282 to Net:192.168.100.12/https for user "cisco"
55 2013/04/17 10:10:50.374 MST 192.168.100.12 Apr 17 2013 17:10:49: %ASA-6-302013: Built inbound TCP connection 11283636 for Net:192.168.100.17/62283 (192.168.100.17/62283) to identity:192.168.100.12/443 (192.168.100.12/443)
54 2013/04/17 10:10:50.140 MST 192.168.100.12 Apr 17 2013 17:10:49: %ASA-6-302013: Built inbound TCP connection 11283629 for Net:192.168.100.17/62282 (192.168.100.17/62282) to identity:192.168.100.12/443 (192.168.100.12/443)
53 2013/04/17 10:10:50.108 MST 192.168.100.12 Apr 17 2013 17:10:49: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.17/62281 to 192.168.100.12/443 flags FIN ACK on interface Net
52 2013/04/17 10:10:50.108 MST 192.168.100.12 Apr 17 2013 17:10:49: %ASA-6-302014: Teardown TCP connection 11283529 for Net:192.168.100.17/62281 to identity:192.168.100.12/443 duration 0:00:02 bytes 3107 TCP Reset-O
51 2013/04/17 10:10:49.937 MST 192.168.100.12 Apr 17 2013 17:10:49: %ASA-6-605005: Login permitted from 192.168.100.17/62281 to Net:192.168.100.12/https for user "cisco"
50 2013/04/17 10:10:47.640 MST 192.168.100.12 Apr 17 2013 17:10:46: %ASA-6-302013: Built inbound TCP connection 11283529 for Net:192.168.100.17/62281 (192.168.100.17/62281) to identity:192.168.100.12/443 (192.168.100.12/443)
Where interface NET is ASA interface with IP 192.168.100.12
192.168.100.17 is MY PC IP
This is log while i access the ASA by https.
Can you please tell in logs why it has repeat logs for example
ASDM logging session started it has this line 2 times
Thanks
MAhesh
04-17-2013 10:46 AM
Hi,
I cant say the reason for sure.
Seems to me that one connections is first built and then its teardown. Right after it another connection is built and teardown.
Here is one TCP connection building and teardown
67 2013/04/17 10:10:56.343 MST 192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.17/62285 to 192.168.100.12/443 flags FIN ACK on interface Net
66 2013/04/17 10:10:56.343 MST 192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-302014: Teardown TCP connection 11283684 for Net:192.168.100.17/62285 to identity:192.168.100.12/443 duration 0:00:03 bytes 381 TCP Reset-O
65 2013/04/17 10:10:56.343 MST 192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-605005: Login permitted from 192.168.100.17/62285 to Net:192.168.100.12/https for user "cisco"
62 2013/04/17 10:10:52.733 MST 192.168.100.12 Apr 17 2013 17:10:51: %ASA-6-302013: Built inbound TCP connection 11283684 for Net:192.168.100.17/62285 (192.168.100.17/62285) to identity:192.168.100.12/443 (192.168.100.12/443)
Here is the next connection building and teardown
71 2013/04/17 10:10:59.640 MST 192.168.100.12 Apr 17 2013 17:10:58: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.17/62286 to 192.168.100.12/443 flags FIN ACK on interface Net
70 2013/04/17 10:10:59.640 MST 192.168.100.12 Apr 17 2013 17:10:58: %ASA-6-302014: Teardown TCP connection 11283774 for Net:192.168.100.17/62286 to identity:192.168.100.12/443 duration 0:00:03 bytes 381 TCP Reset-O
69 2013/04/17 10:10:59.640 MST 192.168.100.12 Apr 17 2013 17:10:58: %ASA-6-605005: Login permitted from 192.168.100.17/62286 to Net:192.168.100.12/https for user "cisco"
68 2013/04/17 10:10:56.343 MST 192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-302013: Built inbound TCP connection 11283774 for Net:192.168.100.17/62286 (192.168.100.17/62286) to identity:192.168.100.12/443 (192.168.100.12/443)
In both cases it seems to me that the ASA has already removed the connection when the host is still in the process of closing the connection.
- Jouni
04-17-2013 10:10 AM
Also,
Here is the description of the log message which I assume you are seeing
Read the latter part of the below text to see the definition of "inbound" vs. "outbound"
302013
Error Message %ASA-6-302013: Built {inbound|outbound} TCP connection_id for interface:real-address/real-port (mapped-address/mapped-port) to interface:real-address/real-port (mapped-address/mapped-port) [(user)]Explanation A TCP connection slot between two hosts was created.
•
connection_id —A unique identifier
•
interface, real-address, real-port—The actual sockets
•
mapped-address, mapped-port—The mapped sockets
•
user—The AAA name of the user
If inbound is specified, the original control connection was initiated from the outside. For example, for FTP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified, the original control connection was initiated from the inside.
Recommended Action None required.
- Jouni
04-18-2013 09:02 AM
Thanks a lot Jouni,
Regards
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide