Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
544
Views
5
Helpful
1
Replies

Is it possible to infer the direction from a 302014 without correlating with a 302013

mi
Level 1
Level 1

‎01-05-2018 02:38 PM - edited ‎02-21-2020 07:04 AM

Take these two example below. 


%ASA-6-302014: Teardown TCP connection 9 for outside:10.1.2.1/22 to inside:
10.1.1.2/53496 duration 0:00:30 bytes 0 SYN Timeout

 

%ASA-6-302014: Teardown TCP connection 8 for inside:
10.1.1.2/12523 to NP Identity Ifc:10.1.1.1/22 duration
0:00:53 bytes 2436 TCP FINs

 

I know that in both cases the server was listening on port 22. So in both cases the client connected to the server. However, these two events have the direction reversed. The first has the server IP and port showing up first and the second has the IP and port of the server showing up last.

 

I know that if you look at the corresponding 302013 events you can infer the direction since those events have an inbound/outbound flag. 

 

Here are my questions:

1) Is it even possible by looking at the 302014 events in isolation (without collerating them with a 302013) to infer the direction (which IP initiated the connection)? 

2) I also see that these events have a very generic "bytes" fields, are these bytes send from client to server or are they from server to client? Maybe these are both directions added together? 

 

 

Labels:
0 Helpful
1 Reply 1

Ajay Saini
Level 7
Level 7

‎01-07-2018 09:52 PM

Hello,

 

1) Is it even possible by looking at the 302014 events in isolation (without collerating them with a 302013) to infer the direction (which IP initiated the connection)? 

 

Looking at the definition of the syslog messages, we would need 302013 to indicate the direction and initiator. Just by looking at the syslog 302014, we can only guess since the initiator has random high number source port and the server would have well known port like tcp/22 in your case. Just 302014 would not be sufficient to conclude the initiator or direction.

 

2) I also see that these events have a very generic "bytes" fields, are these bytes send from client to server or are they from server to client? Maybe these are both directions added together? 

 These bytes refer to the total number of bytes specific to this connection bidirectional.

 

-HTH

AJ

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card