ASA droped package

Unanswered Question
Apr 12th, 2010


we are running an ASA firewallsystem and getting

Teardown TCP connection 56410XXX for outside:XX.XX.XX.XX/1521 to  inside_demo003:XX.XX.XX.XX/1199 duration 0:00:00 bytes 3334 Flow closed by  inspection

Anyone can tell me, the

"closed by inspection" message

is sent by the ASA for what kind of firewall discrepancy ?

I checked the cisco docs on here, but I just found some shallow info on this.

Maybe there is a larger style error table somewhere that I did not find yet.

It also would be great, if someone could guide me a little bit more in the direction for what valid reasons a packet can be dropped in the above case. (packet inspection) Maybe there is a matrix for it.

Thx in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Mon, 04/12/2010 - 07:49


This is a TCP connection being closed by the inspection on the ASA.

The ASA by default has a default inspection policy that you can check on your configuration and its applied globally.

sh run class-map

sh run policy-map

sh run service-policy

Is this connection for a particular TCP protocol?


Panos Kampanakis Mon, 04/12/2010 - 11:23

TCP port 1521 is protocol sqlnet. Probably sqlnet inspection is closing that connection.

You would need to check the "sh policy-map" as suggested.

If you have sqlnet problem check the ASA version, earlier 8.0 version had a couple of defects with sqlnet inspection.

I hope it helps.


cisco.xenpak1 Tue, 04/13/2010 - 04:03


how to find the

        ^^^^ number behind a version ?

When I go to the software download page of cisco i just get offered

8.0.4 ED without any of the .43 number shown.

How to find out, what release cisco lets you download under 8.0.4 ED ???


Kureli Sankar Tue, 04/13/2010 - 04:11

8.0.4 interim is at asa804-48-k8.bin.

You need to open a TAC case and have the engineer publish the code for you.



This Discussion