Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1576
Views
0
Helpful
3
Replies

log shows wrong source/destination, need help! (ASA 8.3)

pweichmann
Level 1
Level 1

‎05-26-2011 02:49 AM - edited ‎03-11-2019 01:38 PM

The Cisco ASDM or the event manager show wrong source/destination for teardown tcp messages:

In this example the communication is an ssh session;

from 1.1.1.1 -> 2.2.2.2 ssh and the connection is reseted by 2.2.2.2

The message build outbound is correct, i.e. source is 1.1.1.1 (message id is 302013)

6May 26 201111:27:573020131.1.1.1540462.2.2.222Built outbound TCP connection 575077 for integration:2.2.2.2/22 (2.2.2.2/22) to panalpina:1.1.1.1/54046 (1.1.1.1/54046)

But the teardown is incorrect, i.e. source for the connection is 2.2.2.2 which is definitely not true (message id is 302014)

6May 26 201111:27:573020142.2.2.2221.1.1.154046Teardown TCP connection 575077 for integration:2.2.2.2/22 to panalpina:1.1.1.1/54046 duration 0:00:00 bytes 0 TCP Reset-O

Also there seems to be a documentation bug in syslog messages for ASA 8.4 since the message for the teardown 302014 is gone!

Labels:
0 Helpful
3 Replies 3

Allen P Chen
Level 5
Level 5

‎05-26-2011 10:15 AM

Hello,

Log ID 302014 is available under the log message guide for both software versions 8.3 and 8.4.

8.3

http://www.cisco.com/en/US/docs/security/asa/asa83/system/message/logmsgs.html#wp4770614

8.4

http://www.cisco.com/en/US/docs/security/asa/asa84/system/message/logmsgs.html#wp6941209

Based on the teardown message, the SSH server at 2.2.2.2 is resetting the connection (the log message indicates the reset is coming from the Outside, TCP Reset-O).  If the SSH server is sending the reset, then the source of the reset packet from host 2.2.2.2 should be correct.

Hope this helps.

0 Helpful

pweichmann
Level 1
Level 1
In response to Allen P Chen

‎05-30-2011 05:47 AM

Hi,

Thanks. It looks like the 302014 is only missing in the pdf where the 302015 follows the 302013 message ;)

I'm used to think that all messages pertaining to a stateful packet inspection session should be shown as the same source ip/port and dest ip/port direction and not show that a RST packet has been sent by the other side.

A.1026 - B.22   SYN

B.22  - A.1026   RST

Usually this is tracked only as a communication of A.1026 -> B.22.

This must be a bug, no?

Regards,

patrick

0 Helpful

Allen P Chen
Level 5
Level 5
In response to pweichmann

‎05-31-2011 10:11 AM

Hello,

If the remote end sends a reset packet to prevent the TCP 3-way handshake from completing, the ASA is going to log the source of the reset.  This is expected behavior.

Hope this helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card