06-22-2010 09:41 PM - edited 03-11-2019 11:02 AM
Hi
can I get advice about error log:
%ASA-6-303014: Teardown TCP connection 100668898 for outside:999.999.999.99/47336 to inside: 888.888.888.88/1531 duration 1:00:00 bytes 5240 TCP Reset-O
%ASA-6-302014: Teardown TCP connection 47476333 for outside:999.999.999.99/47335 to inside: 888.888.888.88/1531 duration 1:00:00 bytes 5230 Failover primary closed
I have setup no timeout and the last failover was happend last year.
Any comment will be appreciated
Thanks in advance
Julxu
Solved! Go to Solution.
06-22-2010 11:32 PM
The 302014 syslog messages are fairly standard when a TCP connection through the firewall is torn down. Remember that the ASA is a stateful firewall so it keeps track of the state of every TCP connection that comes through it. If at some point something tears that connection down then the ASA will not allow any more packets through on that connection.
All the syslog messages and their meanings are documented here:
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4770614
As you can see, the "TCP Reset-O" meaning on the first message means that the firewall saw a RST packet come from the outside host. At this point the firewall will remove the connection from its connection table and no further packets will pass. Why the outside host sent a RST is something only the outside host can answer.
The "failover primary closed" is, assuming these came in around the same time (which they did going by the TCP port numbers), is actually from the standby firewall unit saying it has closed down the same connection due to the active unit closing it down. You must have stateful failover enabled, so that all active connections on the active firewall are replicated over to the standby firewall. Conversely all connections that get torn down on the active unit (the first syslog), then get torn down on the standby unit (the second syslog).
Hope that helps.
06-22-2010 11:32 PM
The 302014 syslog messages are fairly standard when a TCP connection through the firewall is torn down. Remember that the ASA is a stateful firewall so it keeps track of the state of every TCP connection that comes through it. If at some point something tears that connection down then the ASA will not allow any more packets through on that connection.
All the syslog messages and their meanings are documented here:
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4770614
As you can see, the "TCP Reset-O" meaning on the first message means that the firewall saw a RST packet come from the outside host. At this point the firewall will remove the connection from its connection table and no further packets will pass. Why the outside host sent a RST is something only the outside host can answer.
The "failover primary closed" is, assuming these came in around the same time (which they did going by the TCP port numbers), is actually from the standby firewall unit saying it has closed down the same connection due to the active unit closing it down. You must have stateful failover enabled, so that all active connections on the active firewall are replicated over to the standby firewall. Conversely all connections that get torn down on the active unit (the first syslog), then get torn down on the standby unit (the second syslog).
Hope that helps.
05-15-2019 04:40 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide