Solved: Re: asa5520 error messages

julxu · ‎06-22-2010

Hi

can I get advice about error log:

%ASA-6-303014: Teardown TCP connection 100668898 for outside:999.999.999.99/47336 to inside: 888.888.888.88/1531 duration 1:00:00 bytes 5240 TCP Reset-O

%ASA-6-302014: Teardown TCP connection 47476333 for outside:999.999.999.99/47335 to inside: 888.888.888.88/1531 duration 1:00:00 bytes 5230 Failover primary closed

I have setup no timeout and the last failover was happend last year.

Any comment will be appreciated

Thanks in advance

Julxu

gfullage · ‎06-22-2010

The 302014 syslog messages are fairly standard when a TCP connection through the firewall is torn down. Remember that the ASA is a stateful firewall so it keeps track of the state of every TCP connection that comes through it. If at some point something tears that connection down then the ASA will not allow any more packets through on that connection.

All the syslog messages and their meanings are documented here:

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4770614

As you can see, the "TCP Reset-O" meaning on the first message means that the firewall saw a RST packet come from the outside host. At this point the firewall will remove the connection from its connection table and no further packets will pass. Why the outside host sent a RST is something only the outside host can answer.

The "failover primary closed" is, assuming these came in around the same time (which they did going by the TCP port numbers), is actually from the standby firewall unit saying it has closed down the same connection due to the active unit closing it down. You must have stateful failover enabled, so that all active connections on the active firewall are replicated over to the standby firewall. Conversely all connections that get torn down on the active unit (the first syslog), then get torn down on the standby unit (the second syslog).

Hope that helps.

View solution in original post

gfullage · ‎06-22-2010

The 302014 syslog messages are fairly standard when a TCP connection through the firewall is torn down. Remember that the ASA is a stateful firewall so it keeps track of the state of every TCP connection that comes through it. If at some point something tears that connection down then the ASA will not allow any more packets through on that connection.

All the syslog messages and their meanings are documented here:

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4770614

As you can see, the "TCP Reset-O" meaning on the first message means that the firewall saw a RST packet come from the outside host. At this point the firewall will remove the connection from its connection table and no further packets will pass. Why the outside host sent a RST is something only the outside host can answer.

The "failover primary closed" is, assuming these came in around the same time (which they did going by the TCP port numbers), is actually from the standby firewall unit saying it has closed down the same connection due to the active unit closing it down. You must have stateful failover enabled, so that all active connections on the active firewall are replicated over to the standby firewall. Conversely all connections that get torn down on the active unit (the first syslog), then get torn down on the standby unit (the second syslog).

Hope that helps.

khaled ben hammouda · ‎05-15-2019

Hi,
I have the same problem, could you please tell me how can I resolve the issue ?

Best Regards
Khaled