Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Logging half-open conections to blocked Windows ports


Usually when we have a problem with a VPN user attempting to connect

to an inside service, we turn to our ASA syslogs to determine where the

connection is being prohibited (or other errors such as the user trying

to connect to the wrong machine.)  This works fine for normally configured

(UNIX) servers which send an ICMP reject message.  Recently we had to

diagnose problems connecting to an inside Windows device, and although

the VPN client had attempted to connect, no log message was produced

because the connection never got a TCP RST nor ICMP reject.

From what I can suss out from MSDN, turning off "stealth mode" on Windows

boxes to return those boxes to sane ICMP reject behavior is either not completely

supported, or at the very least misguidedly discouraged by Microsoft, and so I

might not be able to convince various Windows administrators to alter this policy.


Is there a way to get log messages bearing the IP tuples for TCP and/or UDP

incomplete connections where the ASA sees only packets destined for an inside host?

This would be for a small number (<50) of VPN remote clients, so we

are not very worried about a DDOS saturating the logs -- these packets are

not attacks just mistakes.

We would need this to happen even for single packets, and without actually

dropping traffic from the initiator, so threat-detection probably won't do the

trick here, unless it can be made to audit-only on single packets.

VPN is all this ASA device is doing, so it likely an afford the CPU for configurations

normally deemed too CPU intense.

Super Bronze

Logging half-open conections to blocked Windows ports


Wouldnt you be essentially looking for connection "Teardown" messages with reason SYN Timeout? As this should be the result if either the ASA doesnt seen the return SYN ACK or the last ACK from the connection initiator? This would usually be generated after 20-30 seconds if the connection doesnt form.

I am not really sure about the UDP. Rarely have to troubleshoot UDP connections. The very rare cases usually relate to Video/Voice and in there I usually see ICMP messages returned for a port that the destination device is not listening on. And while troubleshooting these I tend to take captures on the actual ASA.

Think the Teardown Syslog ID for TCP connections is ASA-6-302013

This is usually the first Syslog ID I look for from the server when someone reports a problem with connectivity.

By default its a Informational level log message or naturally it can be changed to something else if your logging is for example set to Notifications.

Heres the link to the Cisco document about this log message

- Jouni


Logging half-open conections to blocked Windows ports

For live troubleshooting the following command is useful:

show conn detail long

Silent servers are marked with SAa flags.

CreatePlease to create content