All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

ASA Code 302013 - Why are the outbound src ip/dst ip swapped?

Jado95
New Member
‎12-23-2024 02:29 AM

Hello everyone,

I have found posts over the last 10 years with a specific error/bug(?). The src and dest IP addresses are swapped for the Cisco ASA event with ID 302013.

If you look in the app, it even points out that these two fields are knowingly swapped. However, for the following TearDown event of the same connection, the IPs are not swapped.

I am trying to figure out why this is the case. Since this postings about this topic has been around for 10 years now and the app says: "# direction is outbound - source and destination fields are swapped" ... it can't be an error. But I can't explain it.

Can anyone comment on this?

Example:
<166>Dec 23 2024 10:36:04: %ASA-6-302013: Built outbound TCP connection 224811914 for dmz-sample-uidoc_172.27.252.0/27_604:172.27.252.1/8200 (172.27.252.1/8200) to fwr_sample_172.20.25.0/26:172.27.13.131/62388 (172.27.13.131/62388)

Result: src=172.27.13.131 || dest = 172.27.252.1

<166>Dec 23 2024 10:36:04: %ASA-6-302014: Teardown TCP connection 224811914 for dmz-sample-uidoc_172.27.252.0/27_604:172.27.252.1/8200 to fwr_sample_172.20.25.0/26:172.27.13.131/62388 duration 0:00:00 bytes 0 TCP FINs from fwr_sample_172.20.25.0/26

Result: src=172.27.252.1 || dest = 172.27.13.131

Thanks and best regards
Jan

Labels (4)
0 Karma
Reply

tscroggins
Influencer
‎12-31-2024 01:18 PM

Hi @Jado95,

Is your question specific to Splunk Add-on for Cisco ASA or Cisco ASA itself? The message format is defined by Cisco ASA, and the add-on implementation should agree with Cisco ASA documentation at https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslog-messages-302003-to-342008....:

302013

...

If inbound is specified, the original control connection was initiated from the outside. For example, for FTP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified, the original control connection was initiated from the inside.

...

302015

...

If inbound is specified, then the original control connection is initiated from the outside. For example, for UDP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified, then the original control connection is initiated from the inside.

The corresponding teardown events, 302014 and 302106, do not specify a direction, so without prior knowledge, the field extraction can't know which address is the initiator.

If needed, you can correlate the events by the session_id field.

This example is slow and ugly; it's only meant to demonstrate the correlation:

| eventstats values(direction) as direction by session_id
| eval src_ip_tmp=src_ip, dest_ip_tmp=dest_ip, src_ip=if(lower(vendor_action)=="teardown" && lower(direction)=="outbound", dest_ip_tmp, src_ip_tmp), dest_ip=if(lower(vendor_action)=="teardown" && lower(direction)=="outbound", src_ip_tmp, dest_ip_tmp)
| fields - src_ip_tmp dest_ip_tmp

 

0 Karma
Reply

Jado95
New Member
‎01-16-2025 03:15 AM

Thank you for the advise. We will proof it with the customer as soon as I can and will respond.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...