Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1339
Views
2
Helpful
3
Replies

Teardown TCP connection

Go to solution
priyalchavada
Level 1
Level 1

‎05-23-2023 09:26 PM

Hello Team,

I'm working as SOC analyst, I'm analyzing CISCO devices and i get one alert regarding Teardown TCP connection from CISCO FTD.

 <182>May 24 2023 03:53:45 FTDP : %FTD-6-302014: Teardown TCP connection 259297712 for WAN_A:95.214.27.136/43134 to DMZ:172.16.100.4/5555 duration 0:00:30 bytes 0 Failover primary closed\n

 

Can you please explain the exact scenario behind this event occure.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎05-30-2023 06:19 PM

FW HA is two FW interconnect to each other is one failed the other will take place to forward inspect data traffic 
to see the right reason check the Log in active FW

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎05-23-2023 11:55 PM

@priyalchavada the FTD SYSLOG messages are all documented. Your syslog message 302014 ID states the reason was - "The standby unit in a failover pair deleted a connection because of a message received from the active unit."

https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs3.html#con_6941209

302014

Error Message %FTD-6-302014: Teardown [Probe] TCP connection id for interface :real-address /real-port [(idfw_user )] to interface :real-address /real-port [(idfw_user )] duration hh:mm:ss bytes bytes [reason [from teardown-initiator]] [(user )]

Explanation A TCP connection between two hosts was deleted. The following list describes the message values:

  • probe—Indicates the TCP connection is a probe connectionid —A unique identifier

  • interface, real-address, real-port—The actual socket

  • duration—The lifetime of the connection

  • bytes The data transfer of the connection

  • User—The AAA name of the user

  • idfw_user —The name of the identity firewall user

  • reason—The action that causes the connection to terminate. Set the reason variable to one of the TCP termination reasons listed in the following table.

  • teardown-initiator—Interface name of the side that initiated the teardown.

Table 1. TCP Termination Reasons

Reason

Description

Conn-timeout

The connection ended when a flow is closed because of the expiration of its inactivity timer.

Deny Terminate

Flow was terminated by application inspection.

Failover primary closed

The standby unit in a failover pair deleted a connection because of a message received from the active unit.

Go to solution
priyalchavada
Level 1
Level 1

‎05-24-2023 12:48 AM

Hello Rob,

Thanks for the response.

I have two question to ask as I'm little bit confuse.

Q1 : What is the meaning of term Active Unit?

Q2 : Is the activity is questionable or I can consider in normal activity? 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎05-30-2023 06:19 PM

FW HA is two FW interconnect to each other is one failed the other will take place to forward inspect data traffic 
to see the right reason check the Log in active FW

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card