Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
629
Views
0
Helpful
3
Replies

ASA log message format

Go to solution
APatotski
Level 1
Level 1

‎07-09-2009 10:08 AM - edited ‎03-11-2019 08:53 AM

My ASA5540 sends syslog message to ASDM console in the following format:

6 Jul 09 2009 302013 20:54:13 81 10.48.17.16 10.11.16.2 59279 Built outbound TCP connection 9660652 for Outside:10.11.16.2/81 (10.11.16.2/81) to Inside:10.48.17.16/59279 (10.48.17.16/59279)

The connection is initiated from the inside host 10.48.17.16 to outside host 10.11.16.2. But the ip address 10.11.16.2 is in the source ip address column and 10.48.17.16 is in the destination ip address column.

Is it bug or feature?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
robertson.michael
Level 3
Level 3
In response to APatotski

‎07-09-2009 10:58 AM

Hi Aliaksandr,

I agree the format is a little counter intuitive. These syslog messages always list the lower security interface first (outside in your case), followed by the higher security interface (inside in your case). This is always the case, regardless of the direction of the connection.

The inbound/outbound keyword is actually what denotes the direction of the connection, not the addresses themselves. So, since your message says "Built outbound", you know that the connection originated from the inside. If the message says "Built inbound", you know that the connection originated from the outside.

Hope that helps.

-Mike

View solution in original post

0 Helpful
3 Replies 3

Go to solution
APatotski
Level 1
Level 1

‎07-09-2009 10:28 AM

I have added the Screenshot.

Preview file
452 KB
0 Helpful

Go to solution
robertson.michael
Level 3
Level 3
In response to APatotski

‎07-09-2009 10:58 AM

Hi Aliaksandr,

I agree the format is a little counter intuitive. These syslog messages always list the lower security interface first (outside in your case), followed by the higher security interface (inside in your case). This is always the case, regardless of the direction of the connection.

The inbound/outbound keyword is actually what denotes the direction of the connection, not the addresses themselves. So, since your message says "Built outbound", you know that the connection originated from the inside. If the message says "Built inbound", you know that the connection originated from the outside.

Hope that helps.

-Mike

0 Helpful

Go to solution
APatotski
Level 1
Level 1
In response to robertson.michael

‎07-09-2009 11:08 AM

Hi Michael,

Thank you for reply.

Best Regards.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card