cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
350
Views
2
Helpful
3
Replies

Teardown TCP connection

priyalchavada
Beginner
Beginner

Hello Team,

I'm working as SOC analyst, I'm analyzing CISCO devices and i get one alert regarding Teardown TCP connection from CISCO FTD.

 <182>May 24 2023 03:53:45 FTDP : %FTD-6-302014: Teardown TCP connection 259297712 for WAN_A:95.214.27.136/43134 to DMZ:172.16.100.4/5555 duration 0:00:30 bytes 0 Failover primary closed\n

 

Can you please explain the exact scenario behind this event occure.

1 Accepted Solution

Accepted Solutions

MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

FW HA is two FW interconnect to each other is one failed the other will take place to forward inspect data traffic 
to see the right reason check the Log in active FW

View solution in original post

3 Replies 3

Rob Ingram
VIP Master VIP Master
VIP Master

@priyalchavada the FTD SYSLOG messages are all documented. Your syslog message 302014 ID states the reason was - "The standby unit in a failover pair deleted a connection because of a message received from the active unit."

https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs3.html#con_6941209

302014

Error Message %FTD-6-302014: Teardown [Probe] TCP connection id for interface :real-address /real-port [(idfw_user )] to interface :real-address /real-port [(idfw_user )] duration hh:mm:ss bytes bytes [reason [from teardown-initiator]] [(user )]

Explanation A TCP connection between two hosts was deleted. The following list describes the message values:

  • probe—Indicates the TCP connection is a probe connectionid —A unique identifier

  • interface, real-address, real-port—The actual socket

  • duration—The lifetime of the connection

  • bytes The data transfer of the connection

  • User—The AAA name of the user

  • idfw_user —The name of the identity firewall user

  • reason—The action that causes the connection to terminate. Set the reason variable to one of the TCP termination reasons listed in the following table.

  • teardown-initiator—Interface name of the side that initiated the teardown.

Table 1. TCP Termination Reasons

Reason

Description

Conn-timeout

The connection ended when a flow is closed because of the expiration of its inactivity timer.

Deny Terminate

Flow was terminated by application inspection.

Failover primary closed

The standby unit in a failover pair deleted a connection because of a message received from the active unit.

priyalchavada
Beginner
Beginner

Hello Rob,

Thanks for the response.

I have two question to ask as I'm little bit confuse.

Q1 : What is the meaning of term Active Unit?

Q2 : Is the activity is questionable or I can consider in normal activity? 

MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

FW HA is two FW interconnect to each other is one failed the other will take place to forward inspect data traffic 
to see the right reason check the Log in active FW

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers