Solved: Re: Not able to understand a log on ASA

asheesh.gupta11 · ‎04-25-2019

Hi All

i am getting this message in my firewall Teardown TCP connection 20081514 for INTERNET:x.x.x.x/80 to APP_DMZ:y.y.y.y/51760 duration 0:00:58 bytes 9859 TCP FINs

it means the flag is sent to y.y.y.y or its deleted by firewall before sending flag to y.y.y.y by x.x.x.x

Richard Burts · ‎04-26-2019

There are some details that are inconsistent, such as using port 51760 in the build message and using port 51766 in the tear down. Or using connection number 20081514 in the build message and using connection number 20087604 in the tear down. It makes me wonder if the messages are really part of the same transaction.

But it seems to me that there is an explanation of what is happening. A device in the DMZ initiates an HTTP request (TCP port 80) to some web server in the Internet and the ASA creates a connection entry. A TCP session was established. We do not know how many packets were transmitted. But we do know that the TCP session was very brief and that 9859 bytes were transmitted. And then the web server sent TCP FIN to terminate the TCP session. So the ASA then tears down the TCP session. The processing on the ASA is fairly straight forward and I do not see a problem on the ASA. The real question, it seems to me, is why is the web server terminating the TCP session.

HTH

Rick

HTH

Rick

View solution in original post

balaji.bandi · ‎04-25-2019

Look at the tear down examples below :

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116149-qanda-ASA-00.html

Is this continously happening or just 1 case ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

asheesh.gupta11 · ‎04-26-2019

Hi Balaji

i am sending the traffic from DMZ interface from y.y.y.y/80 to x.x.x.x(internet)

i am able to send message in response i get message in firewall is

Built dynamic TCP translation from APP_DMZ:y.y.y.y/80 to INTERNET:x.x.x.x

and after that i am receiving two logs in firewall

Built outbound TCP connection 20081514 for INTERNET:x.x.x.x/80 (x.x.x.x/80) to APP_DMZ:y.y.y.y.y/51760 (y.y.y.y/51760)

Teardown TCP connection 20087604 for INTERNET:x.x.x.x/80 to APP_DMZ:y.y.y.y/51766 duration 0:00:01 bytes 9859 TCP FINs

and its happen every time.

balaji.bandi · ‎04-26-2019

202.51.3.237 I do not see the connection for the port 80, the connection is open. But the tear down coming from 202.51.3.237

Since we are not sure what is your Rule base, can you post your full configuration to have a look your ACL

Also provide ASA Model and show version along with config.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Richard Burts · ‎04-26-2019

There are some details that are inconsistent, such as using port 51760 in the build message and using port 51766 in the tear down. Or using connection number 20081514 in the build message and using connection number 20087604 in the tear down. It makes me wonder if the messages are really part of the same transaction.

But it seems to me that there is an explanation of what is happening. A device in the DMZ initiates an HTTP request (TCP port 80) to some web server in the Internet and the ASA creates a connection entry. A TCP session was established. We do not know how many packets were transmitted. But we do know that the TCP session was very brief and that 9859 bytes were transmitted. And then the web server sent TCP FIN to terminate the TCP session. So the ASA then tears down the TCP session. The processing on the ASA is fairly straight forward and I do not see a problem on the ASA. The real question, it seems to me, is why is the web server terminating the TCP session.

HTH

Rick

HTH

Rick

asheesh.gupta11 · ‎04-27-2019

Hi Richard

thanks to let me understand that server is sending acknowledgement to tear off the connection(its the behavior of the server to send a acknowledgment flag back to the host so that he(host) understand that transaction is successful)