Teardown vs genuine connection

Proton · ‎04-29-2019

Hi All,

I have events for Cisco ASA where I have 2 kinds of connections being built.

Case 1: Genuine Connections:

The genuine connection will only have one entry which will be as follows.

name	deviceEventClassId
Built inbound TCP connection	302013

Case 2: Teardown Connections:

The teardown connection will have the following 3 entries in succession till it reaches teardown.

name	deviceEventClassId
Built inbound TCP connection	302013
Packet permitted by Access List	106100
Teardown TCP connection	302014

Query:

How will you check for a teardown v/s a genuine connection that has been allowed?

Thanks.

Mike.Cifelli · ‎05-02-2019

I am going to provide you with some information that is hopefully beneficial.
I would recommend checking this out: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113602-ptn-113602.html

A few other nice-to-knows:
You can utilize the ASA packet tracing tool that will allow you to troubleshoot connections to determine what could potentially be blocking a connection. See here: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html

Depending on your environment something that may occur is asynchronous routing. You can utilize something known as TCP state bypass that simply tells the ASA to disable stateful inspection. See here: https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html#wp1088415

HTH!