Cisco Firewall :: Asa5510 Idle TCP Connection Timeout With Flags
May 14, 2012
I have ASA 5510 with 8.2.4 and 8.0.x OS and all seem to have common problem of idle TCP connections not timing out. The host to host connections are coming over VPN tunnels. I have default timeouts on all the firewalls. I have tried changing global timeouts and as well as host specific timeouts using MPF but doesn't work at all ! The problem is when TCP connections are sitting idle in conn table for days and when connection limit of 50,000 conns reach the firewall starts behaving unpredictably dropping packets or unresponsive! I need the unused idle connections to timeout which is NOT happening either by changing global values or MPF.
View 1 Replies
ADVERTISEMENT
Oct 18, 2012
I would like to understand someting about the behaviour of ASA with our traffic scenario and the management of tcp sessions.
1) In particular we noticed that we have connections with the flags Fin without any acknowledgement. The session is silent (the bytes counters aren't incremented) but it remains in the session table as an established connection with the idle timeout of an established conn.
We have about 20% (60K on 300K total) of conns in this state: at our eyes it seems to be an incorrect behaviour...
TCP OUTSIDE 62.149.128.151:110 INSIDE 10.254.158.12:61527, idle 0:11:36, bytes 433, flags UFIO
TCP OUTSIDE 17.151.0.200:443 INSIDE 10.254.229.94:52367, idle 0:01:25, bytes 4597, flags UfIO
TCP OUTSIDE 184.169.79.33:443 INSIDE 10.255.249.146:60143, idle 0:10:39, bytes 5590, flags UFIO
TCP OUTSIDE 157.55.235.158:80 INSIDE 10.170.37.102:62421, idle 0:00:53, bytes 1770, flags UfIO
2) On the connections considered as half -closed we have received an ack to the fin (r or R flag is present), we would like to set the idle timeout to a value lower than 5 minutes but we were not able to reach that result
timeout pat-xlate 0:00:30
timeout conn 0:10:00 half-closed 0:05:00 udp 0:02:00 icmp 0:00:02
!
access-list timeoutClass extended permit tcp any any eq www
access-list timeoutClass extended permit tcp any any eq 8080
class-map timeoutClass
match access-list timeoutClass
class timeoutClass
3) And this type of conns with a Fin on both side that I'm not able to understand... with an ack on one of the side how can I have the other fin??
TCP OUTSIDE 69.171.247.38:443 INSIDE 10.168.139.244:51236, idle 0:11:28, bytes 10536, flags UfFIO
TCP OUTSIDE 69.171.247.38:443 INSIDE 10.168.139.244:51234, idle 0:12:22, bytes 9070, flags UfFIO
TCP OUTSIDE 88.40.119.73:36962 INSIDE 10.255.93.162:36875, idle 0:13:27, bytes 3562, flags UfFIO
View 3 Replies
View Related
Apr 13, 2011
How to verify on the asa 5510 , the vpn-idle timeout,is running on default setting(30mts)
View 3 Replies
View Related
May 2, 2012
I have an issue were thousands of connections on the ASA are marked with flags E, below is a visual of the connection. Any ideas what could cause this marking? Also, I can't grasp what the meaing of an outside back connection (ie flags E).
TCP DMZ:X.X.X.X/139 Inside:X.X.X.X/1828, flags E, idle 9h37m, uptime 9h37m, timeout 15s, bytes 0
View 0 Replies
View Related
Jun 24, 2012
I have 2 cisco routers that resired on the same interface on Cisco ASA. For security reasons, on both of the routers I have configured default gateway to be ASA interface, then static route between them on the ASA, I get the following error when on station comming from first router trying to connect to another station behind secound router (again, on the same interface, maybe this is the issue?).
ASA-3-106001: Inbound TCP connection denied from flags SYN
There is access list allowing traffic between but hit count is 0
View 4 Replies
View Related
Oct 30, 2012
Modem is a Netgear dgn2200
On the modem page with all the settings Under basic settings For connection it says Always Connected The box underneath says idle timeout 5 (that's in minutes)
I am unable to change that number or even get a cursor to appear in that box (I want to change it to a 0 - my internet connection has been dropping out when going idle). I can't right click or anything. That is using Firefox. When I say dropping out, I mean, the 3 computers on the network become unuseable - nothing works and things don't appear to be connected to the internet even though my green ADSL light stays on like it's connected - it is not.
I tried the same modem page in IE, and that box with the 5 in it is still showing 5, but this time it's just grayed out - again, can't be changed. The firmware updates are all upto date (apparently - according to it's check)
View 1 Replies
View Related
Nov 16, 2011
If i set up a pptp vpn between a Cisco rv082 router and a microsoft client,Can i set the client idle timeout someway? or Have a default value pre- configured for this?Because this device support 5 users to connect at the same time. It would be best for me, if the device drop the client if it does not use the tunel.
View 3 Replies
View Related
Apr 18, 2012
I'm on WLC 5508 . It doesn't matter if passive client feature is turned on or turned off , when you try to increase "User Idle Timeout" you can see this message:
In our network, a lot of clients gets deauthenticated. I thought it would be useful to enable "Passive-client" feature, or increase "user idle timeout" , but how these works with each other?
View 15 Replies
View Related
Dec 20, 2011
The behavior of some mobile devices ( as Iphone , Itouch, not Blackberry, not labtops ) with WL Controller (5508) is that, when the client doesn't use it, it disconnects after 480 sec.
The idle timeout configured is 900 sec.
Why the behavior is different in this type of devices? Increase the idle timeout is a solution?
View 2 Replies
View Related
Jan 20, 2012
I have a CSS 11503 with a basic content rule for TCP 10000 going to a few backend servers. I was looking into the default timeout values for flows and when testing using telnet the flow didn't terminate as expected?
For example, i have no 'timeout multiplier' specified in the config and when i look at the output of 'show flow-timeout default' it tells me the default 16 seconds timeout is in effect for *. With that in mind, i telnet to the content rule vip on TCP 10000 and on the backend server using wireshark i can see the TCP threeway handshake. With no data passing i'd expect the CSS to terminate this flow after 16 seconds.. yet it takes exactly 128 seconds before wireshark shows the RST and the flow is terminated. 128 being 8 times the default 16 second flow timeout.
If i try to force the connection to close early by specifiying 'flow-timeout-multiplier 2' in the content rule, or even a multiplier of 40, it still waits 128 seconds to close the telnet connection.
View 1 Replies
View Related
Jan 25, 2012
I have an SG300-20 here for testing (firmware: 1.1.2.0, boot version: 1.0.0.4, language version: 1.1.1.6 English). Everything seems to work on it, except, that if I choose Radius authentication by mac address only, then the switch does not honor the Idle-Timeout and Session-Timeout attributes from the Radius server (freeradius).
The setup is the following: I have a no name access point plugged in to switch port gi1. The port gi1 is set up for Radius authentication by mac address only. The access point itself is authenticated, no problem with that. If I connect through the access point by (say) a mobile phone, it is authenticated, no problem. The radius server does send the Idle-Timeout and Session-Timeout attributes, I checked it by running "freeradius -X", both are set to 30 seconds. Then I turn off the wireless card in my mobile phone and check the dot1x users by "show dot1x users". My mobile phone's mac address remains there for 5-10 minutes, so the Idle-Timeout and Session-Timeout does not work.
Another way I could resolv this problem is by explicitely asking the switch to reauthenticate the user. Unfortunately there is no CLI command to do just that, I can do however a reauthentication on a port using "dot1x re-authenticate gi1" (for example). But it does not work as it is expected: the switch uses the stored mac-address to reauthenticate the user, so nothing changes on the port (unless something changes in the radius server). I think it should work like the following: remove the authenticated user from the port, and whenever that mac address makes some network traffic, then reauthenticate as if it were a completely new connection. BTW: it would work for me also if I could just remove an authenticated user from a port, but I did not find a command to do that.
As a last resort I can simply shutdown the port, bring it up again ("shutdown" and "no shutdown" in the interface config), then all users are removed from the port and they all mush reauthenticate. But it causes a network outage for a couple of seconds for all users on that port, on a busy access point it is quite disturbing, and it is not an elegant way to do this.
So my actual question is: is there a way to remove an authenticated user either automatically (Idle-Timeout and Session-Timeout) or manually from this switch?
I enclose the relevant part of the running config.
interface range gi1-2
dot1x host-mode multi-sessions
exit
vlan database
vlan 2-4
exit
[code]....
View 2 Replies
View Related
Jul 12, 2012
I know this issue probably has been beat to death, but I have yet to find the answer to my situation. We recently upgraded from a PIX515e to ASA5520. Shortly after the install I noticed a problem with the servers on our DMZ. This problem was NOT present with our old 515e. The problem is that there seems to be a communication problem between servers on the DMZ, specifically when I try to open the web server homepage from my mail server, I get time-outs. When I ping between the two in either direction, I get time-outs. This might seem trivial, but I have other data servers on the DMZ that need to communicate between themselves.
When we question the tech that performed the install, his answer was that there might be a problem with the switch the servers are connected to, or the servers might have a virus. He stated the process of ping should never involve the DMZ interface. And yes, our DMZ interface IP is the gateway for the servers. Now, if the DMZ (ASA) should never come into play with a ping, why when I turned on logging did I receive the error below? It sounds to me that the ping is going through the interface. Here are a few of the errors on the DMZ with the specific server IPs.
july 13 2012 12:50:04 106014 10.10.0.10 10.10.0.5 Deny inbound icmp src dmz1 10.10.0.10 dst dmz1 10.10.0.5 type 8, code 0
The ping problem was only used as an example the demonstrate that there is a comm problem on the DMZ. ASA is running in router mode.
View 5 Replies
View Related
Nov 26, 2012
ASA 8.2(5), uauth absolute timeout is disabled and inactivity timeout is set to 48 hours:
timeout xlate 48:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:00:00 absolute uauth 48:00:00 inactivity
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
Users still get kicked out every 8 hours and they have to reauth. This is a logging message:
%ASA-5-109012: Authen Session End: user 'john', sid 839, elapsed 28801 seconds
View 1 Replies
View Related
Jan 31, 2012
I recently had a firewall that wasn't passing traffic (ASA 5510 running software version 9.1).It turned out it had 130000 active connections. Doing a "clear conn port 53" dropped the active connection count back to 38k, and the firewall started passing traffic again.
View 7 Replies
View Related
Oct 25, 2011
I configured multiple vlan on my Cisco ASA5520. Everything work perfectly except RDP (3389) connections. The connections are established but but after a period of inactivity, the user is disconnected from server (black screen). The same problem happens with other type of connections (client/server), exemple : Oracle, file sharing. Before installing the ASA, computers and servers were in the same vlan and it worked well.
There's a notion of inter vlan timeout connection ?
View 5 Replies
View Related
Oct 15, 2011
Our client tried to a download a real time generated file from a website, the generation process around 5 mins, after 5 mins, the file will be started to download
When my client direct connect to internet, the file can be download successfully, but when pass through the ASA 5510 and using the internal IP address, a message something like "Are you sure want to logout from this web page?" appears in Safari after 5 mins, i think the time of the error message appear when a "you can start to download" message send from the server to client, the page session timeout so that make the user cannot download the file from internet as the session is not vaild.
I couldn't find any timeout setting in "show runn", is it possible the setting in ASDM? how can I find it and configure it?
View 5 Replies
View Related
Nov 28, 2012
Version: Cisco ASA 5510 8.4(4)1
I've installed cisco asa 5510.
When I "show local-host all detail connection "
Normal situation:
105 myfailover:10.255.255.2/0 NP Identity Ifc:10.255.255.1/0,
idle 0s, uptime 1D14h, timeout 2m0s, bytes 18196822
But I got this output ( timeout - )
[URL]
View 0 Replies
View Related
Oct 19, 2012
Just recently we replaced our HQ Cisco-Pix with Cisco-ASA 5510. where we have many branches connecting to our HQ through site-to-site vpn. Since putting this new ASA5510 at HQ , while we are getting a Remote-Desktop session into our branches clients, and at the time when even a single TIMEOUT occurs on the vpn-link so the remote-desktop session gets completely lost. then we have to re-connect the session.This issue happens as i said above when a single timeout occurs on the vpn link. What is the issue with the ASA5510. because with pix we didn't have this issue, remote-desktops were never getting lost / reset with single timeout
View 1 Replies
View Related
Jun 13, 2011
I have a monitoring rule that checks the number of connections on the firewall using the following command: show conn count
My results are always between 3,000 and 9,000.A while back, I had an issue where all 130,000 connections were being used up. I configured a service policy to limit the number of connections between any two end points.
I'm monitoring the error logs and I'm noticing that my connection limit rule is being triggered on a regular basis. I receive the following message.Per-client connection limit exceeded 20000/20000 for output packet from x.x.x.x to x.x.x.x on interface outside
I'm confused as to the difference between the connections limited by my rule and the connections shown by "show conn count". why I never see any connections higher than 9,000 using "show conn count" yet I am seeing alerts stating that the firewall has reached 20000 connections?My firewall is an ASA5510 running.
View 1 Replies
View Related
Feb 22, 2012
LAN connection gets disabled by itself on idle. Sometimes BSODs.A few days ago I tried connecting a MBlaze modem to my laptop (Windows 7 Ultimate 32 bit) to access internet. But it resulted in instant BSOD everytime.I deleted the modem software after that & didn't try to connect it again.But now, whenever I connect using my LAN broadband, connection works fine as long as I am continuously browsing something. But as soon as I stop browsing and it goes in idle mode in about 10-15 minutes, the connection gets disconnected. In the adapter properties, it shows that the driver is working properly. If I try to disable or uninstall it it doesn't give a response. The only solution to this is a forced shutdown & restart, after which it works fine untill not idle. I am not able to download anything because of this.I tried many things like reinstalling the network adapter driver, unchecking the power management feature, resetting the connection, etc. but nothing is working.
View 5 Replies
View Related
Mar 10, 2011
Our ASA 5510 is running 8.0(5). We recently upgraded the license from base to security plus. By doing so the capacity of the the external port Ethernet0/0 and Ethernet0/1 should increase from the original FE to GE. But, we were still seeing 100 Mbps on our Ethernet0/0 interface. We figured that out that the provider switch is only supporting 100 Mbps which is a bottleneck for us.The provider will be upgrading there switches to 1 Gb switch.
We will have to swap the switch connections now from 100 Mbps to 1 Gb switch.What commands should we be familar ourself with?Though this will be doine in our maintenace window.All the transaltions/connections will be dropped in our production environment so we are kind of scared.
View 3 Replies
View Related
Mar 3, 2011
I recently started having trouble with my VPN clients loosing connection.I can create the conenction, work with it for a while, and then loose connectivity.Timing seems to be dependent on the activity over the connection.More activity, the conenction stops working sooner.
The cleint doesn't disconnect, I just can't access anything from the client.Disconnecting and reconnecting the client fixes the problem, temporarily depending on how much data I'm transferring.This works 90% of the time.The other 10% if I wait 30-45 minutes, and try again.. It works...with the same results...
It was originally isolated to a Win 2003 server that I was using as the client.It is now happening on my Win XP client as well.I'm using the AnyConnect client ver. 2.5.2014 with the VPN service on the UC520.Which I beleive, is similar to the ASA 5500 series VPN device.I am running ver 8.1.0 on the UC 520, and I can't remember if this started after upgrading to the new software.
View 2 Replies
View Related
Jul 10, 2012
We are using the cisco sa540 router and shrew VPN to connect to our buiness network, mostly to connect to the workstations with RDP. Now we wonder if it posible that the connection will disconnect automaticly after an idle time of for example 30 minutes. And if so, how can i configure it?
View 4 Replies
View Related
Sep 4, 2011
Actually all service from site to site is permitted, without restriction.I want to insert an ASA to block some internet traffic on main site.I try to configure my ASA5510.No problem for outgoing connection or to permit a single service on main site.But impossible to give access to all service/connection from all remote site to main site. [code]
View 7 Replies
View Related
Mar 8, 2011
I Changed my old firewall by an ASA5510, since that change my internet connexion is slower.Some websites takes longer to display.I would like to know if there are some specific configuration about TCP connection or DNS to setup?
I just configured the ISP DNS :
Dns server-group DefaultDNSname-server 194.2.0.20 name-server 194.2.0.50
View 4 Replies
View Related
Oct 10, 2011
I 've got some problem with my Mail Server since I've migrated to an ASA5510.Actually the server is in a DMZ with a private Ip ( 10.x.x.2) and it is translated to a Public IP ( 194.x.x.65).Some Users received in there mailbox a system administor error message :Object : Impossible to deliver : testYour message could not be deliver to one or more of its recipients: 421 SMTP connection went away!When they try to re sent it some times later, message is sent whithout problem.
View 3 Replies
View Related
Mar 4, 2013
Not sure where the best place to drop this question. It is a DIR-601 router. I have it configured in the virtual servers list as; internal system ip, public port/private port both 23, protocal tcp with inbound filter, allow all and schedule set to always. I have a second system with a different public port. I can connect to either one but after a short amount of idle time it appears to just drop the connection.
View 4 Replies
View Related
Nov 30, 2012
My macbook keeps loosing it's wireless connection after being idle, when I start up I have to find my router and highlight it and connect and if it's idle it losers it's connection all the time.I tried resetting the router to default and started over I also tried every imaginable way of saving my password and connection but I can't find a way I've been into the routers security,trouble shooting,wireless, what's not holding it's connection to my MACBOOK? my iphone 5, ipad, and roku all hold
View 2 Replies
View Related
Feb 16, 2012
I am looking for the way to define an idle timeout for specific flows on an ASA5580 by using Cisco security manager. For ex I needed to define a specific idle timeout for connections beetween specific devices (Devices in vlan1, Device2 in vlan2).To test it I did following changes by CLI and it works fine. access-list L1 extended permit ip <@IP1> <mask1> host <@IP2> class-map CM1 match access-list L1 policy-map PM1 class CM1 set connection timeout idle 02:00:00
I try do do the same configuration with CSM in order to be able to manage each changes only by using CSM.So I defined Access control list, Traffic flow and then I define timeout in CSM --> PIX/ASA/FWSM Platform --> Service Policy Rules --> IPS, QoS and Connections Rules -> connections settings -> Traffic flow idle time-out. The problem is that each time I deploy the configuration with CSM I loose the timeout config line which is the most important for my application..
View 2 Replies
View Related
Jul 22, 2012
I have a pair of ASA 5540 running 8.4 code. The firewall set has about 4500 rules. I am tasked to identify all unused/idel/inactive rules in the past 3 months.
View 2 Replies
View Related
Jun 6, 2012
ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
View 3 Replies
View Related
May 21, 2012
I've got an aol engineer visiting Thurs.to examine connection loss (since last Weds). But I'm convinced the problem is with the router. But from the tone of the aol tech questions I suspect he's already briefed his engineer to do his best to represent the problem as being either with my computer or positioning of router/filters/condition of wall-sockets - usual getouts.The talktalk router is neww, issued Feb 12, after my original router, speedtouch, started suffering idle timeouts every day.
View 3 Replies
View Related
Aug 9, 2012
At the moment I am trying to connect to a DHCP ISP, but the connection only last for 10-15mins and then it will automatically disconnected. Every time I reset the WAN port , service back to normal for another 10-15 mins ><
[code]...
View 2 Replies
View Related
