Re: PIX syslog message PIX-6-302002

jerryd · ‎02-12-2002

IN the PIX documentation it doesnt give any guidelines as to what the flags on the end of the message mean. In the syslog message below. The tcp session is reset and any packets following this are denied because of no connection in connection table.

Feb 12 08:59:44 pixfw %PIX-6-302002: Teardown TCP connection 30269612 faddr 196.8.107.24/443 gaddr 196.26.139.246/56873 laddr 10.2.2.111/56873 duration 0:00:01 bytes 2870 (TCP Reset-I)

What I would like to know is which side initiated the tcp reset.

mhussein · ‎02-12-2002

Here is an unofficial list of PIX connection flags:

U | up

f | inside FIN

F | outside FIN

r | inside acknowledged FIN

R | outside acknowledged FIN

s | awaiting outside SYN

S | awaiting inside SYN

M | SMTP data

H | HTTP get (not used)

I | inbound data

O | outbound data

q | SQL*Net data

n | nailed connection (no supported)

d | dump

P | inside back connection

E | outside back connection

G | group

p | replicated (unused)

a | awaiting outside ACK to SYN

A | awaiting inside ACK to SYN

B | initial SYN from outside

R | RPC

H | H.323

D | DNS

About a year ago I was told that pix flags will be documented on CCO, but I don't think that has been done yet. Anyway the list above covers most of the flags displayed when issueing a "show connection" command.

I'd recommend contacting TAC about this issue.

Regards,

Mustafa Hussein

Comark, Inc.