Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11951
Views
0
Helpful
1
Replies

Built inbound/outbound TCP connection vs TCP 3 way handshake

Go to solution
Adam David
Level 1
Level 1

‎01-25-2012 10:19 PM - edited ‎03-11-2019 03:19 PM

Hi all, I have a few questions:

1. I was wondering when we see the following message on syslog, does it mean that TCP 3 way handshake has been completed or does it mean only SYN flag has been sent to the destination (192.168.1.1)?

%ASA-6-302013: Built inbound TCP connection 101 for outside:172.16.1.1/1337 to inside:192.168.1.1/23 (192.168.1.1/23)

2. In packet capture below, normally we’ll know that data has been transferred by looking at PUSH & ACK flag (P & ack). How about syslog message since we cannot see the TCP flag in it? Is there similar message in syslog shows that data has been transferred between source and destination?

: 16:10:01.745673 172.16.1.1.1494 > 192.168.154.196.4027: P 3118519132:3118519143(11) ack 563496654 win 64331

3. Sometimes, we also experience SYN flag has been sent by source, but there is not reply (SYN/ACK) from the destination. Since the source address does not receive the SYN/ACK, the destination finally will send RST to terminate the connection. Can we see this message on the syslog?


Thanks

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎01-26-2012 02:28 AM

Adam,

1) My recollaction is that we will install a connection as soon as SYN is seen (provided it goes through checks done before).

If we didn't do we could not start the half-open timer for TCP.

2) We do not log data passing through connections. You can check amount of data transfered by looking at "show conn ...."

3) You will see the connection teardown with reason. if it's a RST it will be RESET I or RESET O

You can see a list of teardown reasones:

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp6275532

Marcin

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎01-26-2012 02:28 AM

Adam,

1) My recollaction is that we will install a connection as soon as SYN is seen (provided it goes through checks done before).

If we didn't do we could not start the half-open timer for TCP.

2) We do not log data passing through connections. You can check amount of data transfered by looking at "show conn ...."

3) You will see the connection teardown with reason. if it's a RST it will be RESET I or RESET O

You can see a list of teardown reasones:

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp6275532

Marcin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card