golowai
asked on
Please HELP...ASA reset????
Our log has capture this and I have no Idea what this means...PLEASE HELP
TCP Reset-O: This reason is given for closing an inbound flow (from a high-security interface to low-security interface) when a TCP reset is received on the flow.
Can someone please tell me what does this mean???
TCP Reset-O: This reason is given for closing an inbound flow (from a high-security interface to low-security interface) when a TCP reset is received on the flow.
Can someone please tell me what does this mean???
ASKER
Hi MikeKane, that link you provided doesn't work. but from reading on other site this is a normal activity.
Link worked for me... just checked again.
But this is a normal activity. Its one of the methods of teardown
But this is a normal activity. Its one of the methods of teardown
ASKER
Here's part of the log but it does show me that it was a hard reset. Is it safe to say that this is a power supply issue? cuz we have already moved the power plug from the power strip to an open wall jack.
1/6/2010 9:50:46 AM 10.66.66.99 <166> Jan 06 09:50:46 10.66.66.99 an 06 2010 10:50:46 single_vf : %ASA-6-302014: Teardown TCP connection 364428 for outside:x.x.x./80 to inside:10.66.66.111/41638 duration 0:09:15 bytes 139105 TCP Reset-O
1/6/2010 9:52:38 AM 10.66.66.99 <166> Jan 06 09:52:38 10.66.66.99 an 06 2010 10:52:30 single_vf : %ASA-6-305011: Built static TCP translation from inside:10.66.66.20/3389 to outside:x.x.x.x/65222
1/6/2010 9:50:46 AM 10.66.66.99 <166> Jan 06 09:50:46 10.66.66.99 an 06 2010 10:50:46 single_vf : %ASA-6-302014: Teardown TCP connection 364428 for outside:x.x.x./80 to inside:10.66.66.111/41638 duration 0:09:15 bytes 139105 TCP Reset-O
1/6/2010 9:52:38 AM 10.66.66.99 <166> Jan 06 09:52:38 10.66.66.99 an 06 2010 10:52:30 single_vf : %ASA-6-305011: Built static TCP translation from inside:10.66.66.20/3389 to outside:x.x.x.x/65222
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
"The cause of the reset could be the remote application" can you elaborate on this?
"a reset packet from a network device..."
currently we have the following logging enabled:
logging enable
logging timestamp
logging buffered informational
logging trap informational
logging asdm informational
logging device-id context-name
logging host inside 10.60.60.111
logging permit-hostdown
is this sufficient enough to capture what we need?
"a reset packet from a network device..."
currently we have the following logging enabled:
logging enable
logging timestamp
logging buffered informational
logging trap informational
logging asdm informational
logging device-id context-name
logging host inside 10.60.60.111
logging permit-hostdown
is this sufficient enough to capture what we need?
Again, the firewall doesn't know anything other that it received a Reset packet. It won't give you any info on what caused it or why it was sent. If you are looking for a reason that the packet was sent, then you are looking in the wrong place.
The Reset packet is a signal to end the session. The application at the far end may have sent it, a network device in between may be the cause, there's no way of knowing just form looking at the firewall log.
The Reset packet is a signal to end the session. The application at the far end may have sent it, a network device in between may be the cause, there's no way of knowing just form looking at the firewall log.
ASKER
Thanks MikeKane...your patients and knowledge are most appreciated! One last question...where else in the firewall should i look? I've been scratching my head for the last month trying to figure this out!
There's nothing in the firewall you need to look at. The firewall config will not be the cause of the remote device sending the reset packet nor will you find anything in the config that would cause that either. .
ASKER
understand...i guess i won't know if this is an hardware issue until i replace it with another unit. I'm going to close this since there's nothing more we can do. Thanks MikeKane!
Have a look here at this forum post for a good explanation of the message.
http://www.firewall.cx/ftopicp-10387.html