Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

asa5520 error messages

Hi

can I get advice about error log:

%ASA-6-303014: Teardown TCP connection 100668898 for outside:999.999.999.99/47336 to inside: 888.888.888.88/1531 duration 1:00:00 bytes 5240 TCP Reset-O

%ASA-6-302014: Teardown TCP connection 47476333 for outside:999.999.999.99/47335 to inside: 888.888.888.88/1531 duration 1:00:00 bytes 5230 Failover primary closed

I have setup no timeout and the last failover was happend last year.

Any comment will be appreciated

Thanks in advance

Julxu

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: asa5520 error messages

The 302014 syslog messages are fairly standard when a TCP connection through the firewall is torn down.  Remember that the ASA is a stateful firewall so it keeps track of the state of every TCP connection that comes through it.  If at some point something tears that connection down then the ASA will not allow any more packets through on that connection.

All the syslog messages and their meanings are documented here:

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4770614

As you can see, the "TCP Reset-O" meaning on the first message means that the firewall saw a RST packet come from the outside host.  At this point the firewall will remove the connection from its connection table and no further packets will pass.  Why the outside host sent a RST is something only the outside host can answer.

The "failover primary closed" is, assuming these came in around the same time (which they did going by the TCP port numbers), is actually from the standby firewall unit saying it has closed down the same connection due to the active unit closing it down.  You must have stateful failover enabled, so that all active connections on the active firewall are replicated over to the standby firewall.  Conversely all connections that get torn down on the active unit (the first syslog), then get torn down on the standby unit (the second syslog).

Hope that helps.

1 REPLY
Cisco Employee

Re: asa5520 error messages

The 302014 syslog messages are fairly standard when a TCP connection through the firewall is torn down.  Remember that the ASA is a stateful firewall so it keeps track of the state of every TCP connection that comes through it.  If at some point something tears that connection down then the ASA will not allow any more packets through on that connection.

All the syslog messages and their meanings are documented here:

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4770614

As you can see, the "TCP Reset-O" meaning on the first message means that the firewall saw a RST packet come from the outside host.  At this point the firewall will remove the connection from its connection table and no further packets will pass.  Why the outside host sent a RST is something only the outside host can answer.

The "failover primary closed" is, assuming these came in around the same time (which they did going by the TCP port numbers), is actually from the standby firewall unit saying it has closed down the same connection due to the active unit closing it down.  You must have stateful failover enabled, so that all active connections on the active firewall are replicated over to the standby firewall.  Conversely all connections that get torn down on the active unit (the first syslog), then get torn down on the standby unit (the second syslog).

Hope that helps.

5231
Views
0
Helpful
1
Replies
CreatePlease to create content