Wajih-ur-Rehman, What version of the PIX documentation are you looking at? The reason I ask is that this is a known bug in the PIX documentation from version 5.3. If you look in the documentation you may see that the text for Syslog messages 302002 and 302006 have exactly the same description. The PIX does not compute duration or bytes for a UDP connection. The PIX builds a state table entry for UDP connections - based on SRC IP & Port; DST IP and Port. There is no concept of an individual "session" for UDP connection. The PIX just starts a timer after each packet it sees between a single ip and port and another ip and port. If multiple UDP sessions were established between two peers (same IPs and port numbers) the PIX cannot tell each session apart. Liberty for All, Brian At 05:48 PM 7/16/2003 +0500, Wajih-ur-Rehman wrote: >Hello all, > >I am trying to analyze PIX (6.1) logs. I am facing a problem regarding the >following: > >%PIX-6-302006: Teardown UDP connection for faddr faddr/fport gaddr >gaddr/gport laddr laddr/lport > >Explanation This is a connection-related message. This message is logged >when a UDP connection is terminated. The duration and byte count for the >session are reported. If the connection required authentication, the >username is also reported in the last field of the message. This message is >used by the PIX Firewall Manager to generate reports. > >The explanation says, that it logs the duration and bytes as well but in my >logs, i dont find even a single entry with duration and bytes. Any help >would be greatly appreciated. > >Best Regards >Wajih-ur-Rehman > >_______________________________________________ >LogAnalysis mailing list >LogAnalysisat_private >http://lists.shmoo.com/mailman/listinfo/loganalysis _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Jul 18 2003 - 12:39:30 PDT