FWSM 3.1(16) logs TCP-Reset, not Reset-O nor Reset-I

ffischer · ‎11-30-2010

While troubleshooting a TelePresence issue, I found the following in a FWSM Log (Ver 3.1(16))

Nov 30 11:10:32 inhouseFW %FWSM-6-302014: Teardown TCP connection 146533671494443748

for VideoVLAN:192.168.194.220/50579 to inhouse:192.168.18.163/5060 duration 0:02:10 bytes 21730 TCP Reset

Nov 30 11:11:21 inhouseFW %FWSM-6-302014: Teardown TCP connection 146533671494443752

for VideoVLAN:192.168.194.220/50617 to inhouse:192.168.18.163/5060 duration 0:02:10 bytes 21048 TCP Reset

Nov 30 11:12:11 inhouseFW %FWSM-6-302014: Teardown TCP connection 146533671494443758 for

VideoVLAN:192.168.194.220/50642 to inhouse:192.168.18.163/5060 duration 0:01:33 bytes 19388 TCP Reset

Now

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/system/message/logmsgs.html#wp1280675

explains:

TCP Reset-I: Reset was from the inside.
TCP Reset-O: Reset was from the outside.

The TCP Reset message is not documented.

Any idea what "TCP Reset" does mean ? A Connection reset by the SIP fixup / protocol inspection ?

Maybe somebody from Cisco could "grep" through the source ;-)

Regards,

Frank

Kureli Sankar · ‎11-30-2010

I filed a documentation defect http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsu03630

which got resolved.

Release note:

Symptom:

This is a documentation bug only.  FWSM 3.2 syslog documentation for syslog 302014 may not have information for tear down reason TCP Reset.

Conditions:

N/A

Workaround:

None

Further Problem Description:

FWSM-6-302014: Teardown TCP connection 146351710909894826 for INSIDE:10.254.160.24/1817 to OUTSIDE:192.168.219.25/80 duration 0:00:01 bytes 1504 TCP Reset

The above tear down reason TCP Reset may not be explained in the link below:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/system/message/logmsgs_external_docbase_0900e4b1804ca185_4container_external_docbase_0900e4b1805ba0fa.html#wp1280675

Resolved in link below:

The updated versions of the 3.2 and 4.0 System Log Messages Guides with the added setting for TCP Reset is available at the following URLs:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/system/message/logmsgs.html

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/system/message/logmsgs.html

TCP Reset

FWSM is tearing down a connection, which could occur for the following reasons:

•A software error occurred while trying to establish that connection, and the FWSM is unable to handle the new connection.

•As the result of an inspection policy for connections that are generated and handled by the protocol inspection (secondary channels).

-KS

ffischer · ‎12-01-2010

Hi,

sorry for not checking the doc of newer FWSM Versions before posting here....

The explanation is exactly what I suspected.

Thx a lot !

to go another step further..

Are there any well known inteoperability issues wih FWSM 3.1(16) SIP inspection

and recent Teleprecense / Callmanager Systems (will ask for Versions) ?

Thanks again, Frank

Kureli Sankar · ‎12-01-2010

Yes. This one http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCso92808

See if this one applies to what you see.

-KS