When the PIX Firewall terminates any TCP connection, it generates a log message (which can be collected using a syslog server) that provides a reason for the termination. For example, if a TCP connection has been established between two hosts across the PIX, a TCP RESET-I in the log message means that the server from the inside is sending a reset to the PIX (which instructs the PIX to drop the connection). The PIX then drops the connection and logs a RESET-I.
If the log message contains a TCP RESET-O, it indicates that the server on the outside is resetting the connection.
Note: TCP resets do not originate from the PIX, but from the server either on the outside or the inside (depending on the reset established).
For detailed information on the various causes of TCP termination, refer to this chart:
TCP reset was from the inside
TCP reset was from the outside
Normal shutdown sequence
Forced termination after 15 seconds awaiting last ACK
Forced termination after two minutes awaiting three-way handshake completion
Terminated by application inspection
Back channel initiation from wrong side
Denied by URL filter
Connection was torn down because it was idle longer than the configured idle timeout
The show conn detail command provides information about the status of TCP connections through PIX. For information on log messages, refer to the Error and System Messages guide for the code that PIX is currently running. Issue the show version command to obtain the current version of software on the PIX.