Re: [logs] regarding %PIX-6-302006:

From: Wajih-ur-Rehman (wrehmanat_private)
Date: Thu Jul 17 2003 - 23:43:15 PDT

  • Next message: Batten, Gerald: "RE:[logs] LinkSys Firewall Log Samples anyone?"

    Dear Brian,
    
    Thanx for the explanation.
    
    I am using the documentation of PIX version 6.0 and above from this site:
    http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guide_chapter09186a00800891c4.html
    
    I think, then even in the version 6 documentation, they have not correctly
    specified it.
    
    Best Regards
    Wajih-ur-Rehman
    
    
    
    
    
    ----- Original Message ----- 
    From: "Brian Ford" <brfordat_private>
    To: "Wajih-ur-Rehman" <wrehmanat_private>
    Cc: <loganalysisat_private>
    Sent: Friday, July 18, 2003 12:40 AM
    Subject: Re: [logs] regarding %PIX-6-302006:
    
    
    > Wajih-ur-Rehman,
    >
    > What version of the PIX documentation are you looking at?  The reason I
    ask
    > is that this is a known bug in the PIX documentation from version 5.3.
    >
    > If you look in the documentation you may see that the text for Syslog
    > messages 302002 and 302006 have exactly the same description.
    >
    > The PIX does not compute duration or bytes for a UDP connection.  The PIX
    > builds a state table entry for UDP connections - based on SRC IP & Port;
    > DST IP and Port.   There is no concept of an individual "session" for UDP
    > connection.   The PIX just starts a timer after each packet it sees
    between
    > a single ip and port and another ip and port.  If multiple UDP sessions
    > were established between two peers (same IPs and port numbers) the PIX
    > cannot tell each session apart.
    >
    > Liberty for All,
    >
    > Brian
    >
    >
    > At 05:48 PM 7/16/2003 +0500, Wajih-ur-Rehman wrote:
    > >Hello all,
    > >
    > >I am trying to analyze PIX (6.1) logs. I am facing a problem regarding
    the
    > >following:
    > >
    > >%PIX-6-302006: Teardown UDP connection for faddr faddr/fport gaddr
    > >gaddr/gport laddr laddr/lport
    > >
    > >Explanation   This is a connection-related message. This message is
    logged
    > >when a UDP connection is terminated. The duration and byte count for the
    > >session are reported. If the connection required authentication, the
    > >username is also reported in the last field of the message. This message
    is
    > >used by the PIX Firewall Manager to generate reports.
    > >
    > >The explanation says, that it logs the duration and bytes as well but in
    my
    > >logs, i dont find even a single entry with duration and bytes. Any help
    > >would be greatly appreciated.
    > >
    > >Best Regards
    > >Wajih-ur-Rehman
    > >
    > >_______________________________________________
    > >LogAnalysis mailing list
    > >LogAnalysisat_private
    > >http://lists.shmoo.com/mailman/listinfo/loganalysis
    >
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Fri Jul 18 2003 - 12:41:40 PDT