ASA logs

suthomas1 · ‎05-24-2009

I am seeing following messages on my firewall.

Built inbound TCP connection 12379739847739399852 for FVLAN:192.168.2.1/1618 (192.168.2.1/1618) to SQLSrvr:10.85.65.2/80 (10.85.65.2/80)

Teardown TCP connection 12379739847739399843 for FVLAN:192.168.2.1/1614 to SQLSrvr:10.85.65.2/80 duration 0:00:00 bytes 5113 TCP FINs

Teardown TCP connection 12379739847739399848 for FVLAN:192.168.2.1/1617 to SQLSrvr:10.85.65.2/80 duration 0:00:00 bytes 3797 TCP Reset-O

Teardown TCP connection 12379739847739399845 for FVLAN:192.168.2.1/1616 to SQLSrvr:10.85.65.2/80 duration 0:00:00 bytes 3797 TCP Reset-O

Please help to understand these & how to relate these with issues?

Thanks.

awesthuis · ‎05-25-2009

The first one is simply showing that a connection was (tried) to be build between the source (192.168.2.1) and the server (10.85.65.2) on port 80 (http).

The second one is a little 'odd' for me. Since that more or less says that a connection was there, and was properly finished (TCP FINs), but with a duration of 0:00, so it immediately closed the connection.

The last two give actually an indication that there is apparently nothing running on port 80 on your server (10.85.65.2) - the TCP Reset-O's. I would start looking at the server and check if the webservice is running.

Kureli Sankar · ‎05-25-2009

When looking at logs pls. make sure to look at the builds and teardown for the same connection. For example look for either this 12379739847739399852 or grep for the source port /1618

Since we don't see logs (built and teardown) for a single conn, just looking at the Reset-O, that means the reset has come from the lower security interface.

Pls. check if there could be a websense, surf control or similar content scanner in the lower security interface that would be monitoring this host's 192.168.2.1 traffic .