asa5520 error messages

Answered Question
Jun 22nd, 2010
User Badges:

Hi


can I get advice about error log:

%ASA-6-303014: Teardown TCP connection 100668898 for outside:999.999.999.99/47336 to inside: 888.888.888.88/1531 duration 1:00:00 bytes 5240 TCP Reset-O

%ASA-6-302014: Teardown TCP connection 47476333 for outside:999.999.999.99/47335 to inside: 888.888.888.88/1531 duration 1:00:00 bytes 5230 Failover primary closed


I have setup no timeout and the last failover was happend last year.


Any comment will be appreciated


Thanks in advance


Julxu

Correct Answer by gfullage about 6 years 9 months ago

The 302014 syslog messages are fairly standard when a TCP connection through the firewall is torn down.  Remember that the ASA is a stateful firewall so it keeps track of the state of every TCP connection that comes through it.  If at some point something tears that connection down then the ASA will not allow any more packets through on that connection.


All the syslog messages and their meanings are documented here:


http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4770614


As you can see, the "TCP Reset-O" meaning on the first message means that the firewall saw a RST packet come from the outside host.  At this point the firewall will remove the connection from its connection table and no further packets will pass.  Why the outside host sent a RST is something only the outside host can answer.


The "failover primary closed" is, assuming these came in around the same time (which they did going by the TCP port numbers), is actually from the standby firewall unit saying it has closed down the same connection due to the active unit closing it down.  You must have stateful failover enabled, so that all active connections on the active firewall are replicated over to the standby firewall.  Conversely all connections that get torn down on the active unit (the first syslog), then get torn down on the standby unit (the second syslog).


Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
gfullage Tue, 06/22/2010 - 23:32
User Badges:
  • Cisco Employee,

The 302014 syslog messages are fairly standard when a TCP connection through the firewall is torn down.  Remember that the ASA is a stateful firewall so it keeps track of the state of every TCP connection that comes through it.  If at some point something tears that connection down then the ASA will not allow any more packets through on that connection.


All the syslog messages and their meanings are documented here:


http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4770614


As you can see, the "TCP Reset-O" meaning on the first message means that the firewall saw a RST packet come from the outside host.  At this point the firewall will remove the connection from its connection table and no further packets will pass.  Why the outside host sent a RST is something only the outside host can answer.


The "failover primary closed" is, assuming these came in around the same time (which they did going by the TCP port numbers), is actually from the standby firewall unit saying it has closed down the same connection due to the active unit closing it down.  You must have stateful failover enabled, so that all active connections on the active firewall are replicated over to the standby firewall.  Conversely all connections that get torn down on the active unit (the first syslog), then get torn down on the standby unit (the second syslog).


Hope that helps.

Actions

This Discussion