Hi Alex,

alexvietle · ‎10-26-2015

I get this TCP Reset-I when some of my servers sending syslog information to my splunk server. I am not sure what the root cause is since I am able to send syslog on a number of devices to this server. Please assist.

6 Oct 26 2015 15:25:52 302013 10.1.106.50 44550 xxx.xxx.82.9 514 Built inbound TCP connection 256105191 for Outside:10.1.106.50/44550 (10.1.106.50/44550) to Vlan2000-Security:xxx.xxx.82.9/514 (xxx.xxx.82.9/514)

6 Oct 26 2015 15:25:52 302014 10.1.106.50 44550 xxx.xxx.82.9 514 Teardown TCP connection 256105191 for Outside:10.1.106.50/44550 to Vlan2000-Security:xxx.xxx.82.9/514 duration 0:00:00 bytes 0 TCP Reset-I

Dinesh Moudgil · ‎10-26-2015

Hi Alex,

The above messages correlate to building and tearing down of the state connections on the ASA which is the expected behavior.
You might want to take packet captures to narrow down the issue.
Example :- capture <capture name> interface <ingress interface> match ip host <server1 IP> host <server2 IP>

Verify the output via :- show capture <capture name>
Ref:- https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Akshay Rastogi · ‎11-01-2015

Hi Alex,

'TCP Reset-I' means that the Reset is coming from Higher Security Zone. From the capture also you would see that Inside host(or server) is sending a Reset. Check if three way handshake is getting completed or not or some password mismatch or something.

Also there could be any proxy or any thing on the higher security zone which might be sending it if not or main server. Track down the host with mac-address it is coming with the help of capture one hop down everytime.

Regards,

Akshay Rastogi

ASA5520 TCP Reset-I