Cisco Firewall :: Tcp Flags And Timeout On ASA55XX 8.4(3)
Oct 18, 2012
I would like to understand someting about the behaviour of ASA with our traffic scenario and the management of tcp sessions.
1) In particular we noticed that we have connections with the flags Fin without any acknowledgement. The session is silent (the bytes counters aren't incremented) but it remains in the session table as an established connection with the idle timeout of an established conn.
We have about 20% (60K on 300K total) of conns in this state: at our eyes it seems to be an incorrect behaviour...
TCP OUTSIDE 62.149.128.151:110 INSIDE 10.254.158.12:61527, idle 0:11:36, bytes 433, flags UFIO
TCP OUTSIDE 17.151.0.200:443 INSIDE 10.254.229.94:52367, idle 0:01:25, bytes 4597, flags UfIO
TCP OUTSIDE 184.169.79.33:443 INSIDE 10.255.249.146:60143, idle 0:10:39, bytes 5590, flags UFIO
TCP OUTSIDE 157.55.235.158:80 INSIDE 10.170.37.102:62421, idle 0:00:53, bytes 1770, flags UfIO
2) On the connections considered as half -closed we have received an ack to the fin (r or R flag is present), we would like to set the idle timeout to a value lower than 5 minutes but we were not able to reach that result
timeout pat-xlate 0:00:30
timeout conn 0:10:00 half-closed 0:05:00 udp 0:02:00 icmp 0:00:02
!
access-list timeoutClass extended permit tcp any any eq www
access-list timeoutClass extended permit tcp any any eq 8080
class-map timeoutClass
match access-list timeoutClass
class timeoutClass
3) And this type of conns with a Fin on both side that I'm not able to understand... with an ack on one of the side how can I have the other fin??
TCP OUTSIDE 69.171.247.38:443 INSIDE 10.168.139.244:51236, idle 0:11:28, bytes 10536, flags UfFIO
TCP OUTSIDE 69.171.247.38:443 INSIDE 10.168.139.244:51234, idle 0:12:22, bytes 9070, flags UfFIO
TCP OUTSIDE 88.40.119.73:36962 INSIDE 10.255.93.162:36875, idle 0:13:27, bytes 3562, flags UfFIO
View 3 Replies
ADVERTISEMENT
May 14, 2012
I have ASA 5510 with 8.2.4 and 8.0.x OS and all seem to have common problem of idle TCP connections not timing out. The host to host connections are coming over VPN tunnels. I have default timeouts on all the firewalls. I have tried changing global timeouts and as well as host specific timeouts using MPF but doesn't work at all ! The problem is when TCP connections are sitting idle in conn table for days and when connection limit of 50,000 conns reach the firewall starts behaving unpredictably dropping packets or unresponsive! I need the unused idle connections to timeout which is NOT happening either by changing global values or MPF.
View 1 Replies
View Related
Jul 19, 2012
Is there any option available in any of the Cisco ASA55xx series model to install both csc-ssm and aip-ssm ips modules ? If, so is it advisable to install both ? Is the throughput of ips module has any dependency with the asa chassis throughput ?
View 1 Replies
View Related
May 2, 2012
I have an issue were thousands of connections on the ASA are marked with flags E, below is a visual of the connection. Any ideas what could cause this marking? Also, I can't grasp what the meaing of an outside back connection (ie flags E).
TCP DMZ:X.X.X.X/139 Inside:X.X.X.X/1828, flags E, idle 9h37m, uptime 9h37m, timeout 15s, bytes 0
View 0 Replies
View Related
Jul 12, 2012
I know this issue probably has been beat to death, but I have yet to find the answer to my situation. We recently upgraded from a PIX515e to ASA5520. Shortly after the install I noticed a problem with the servers on our DMZ. This problem was NOT present with our old 515e. The problem is that there seems to be a communication problem between servers on the DMZ, specifically when I try to open the web server homepage from my mail server, I get time-outs. When I ping between the two in either direction, I get time-outs. This might seem trivial, but I have other data servers on the DMZ that need to communicate between themselves.
When we question the tech that performed the install, his answer was that there might be a problem with the switch the servers are connected to, or the servers might have a virus. He stated the process of ping should never involve the DMZ interface. And yes, our DMZ interface IP is the gateway for the servers. Now, if the DMZ (ASA) should never come into play with a ping, why when I turned on logging did I receive the error below? It sounds to me that the ping is going through the interface. Here are a few of the errors on the DMZ with the specific server IPs.
july 13 2012 12:50:04 106014 10.10.0.10 10.10.0.5 Deny inbound icmp src dmz1 10.10.0.10 dst dmz1 10.10.0.5 type 8, code 0
The ping problem was only used as an example the demonstrate that there is a comm problem on the DMZ. ASA is running in router mode.
View 5 Replies
View Related
Nov 26, 2012
ASA 8.2(5), uauth absolute timeout is disabled and inactivity timeout is set to 48 hours:
timeout xlate 48:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:00:00 absolute uauth 48:00:00 inactivity
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
Users still get kicked out every 8 hours and they have to reauth. This is a logging message:
%ASA-5-109012: Authen Session End: user 'john', sid 839, elapsed 28801 seconds
View 1 Replies
View Related
Jun 24, 2012
I have 2 cisco routers that resired on the same interface on Cisco ASA. For security reasons, on both of the routers I have configured default gateway to be ASA interface, then static route between them on the ASA, I get the following error when on station comming from first router trying to connect to another station behind secound router (again, on the same interface, maybe this is the issue?).
ASA-3-106001: Inbound TCP connection denied from flags SYN
There is access list allowing traffic between but hit count is 0
View 4 Replies
View Related
Oct 3, 2012
I would like to know something with more accuration about idle timeout configuration. In particular why is impossible to set "half-closed connections" to a value lower than 5 minutes neither through a policy-map? In my particular scenario, my asa is used to nat mobile phones traffic, it should be advisable to use less than 5 minutes
In my configuration I've set the timers as follows:
.
timeout xlate 0:15:00
timeout pat-xlate 0:00:30
timeout conn 0:14:00 half-closed 0:05:00 udp 0:02:00 icmp 0:00:02
[Code].....
View 4 Replies
View Related
Feb 20, 2013
Faced this recent vulnerability?
[URL]
My understanding is that for ASA 8.4.1 and prior, there's a vulnerability that opening many ssh sessions and one of them times out, the firewalls crashes!
As we have many customers with ASA using 8.2.5(26) (for example) I'd like a confirmation that for fixing that bug I need to upgrade my ASA image to at least 8.4.x.Case that, I believe that all the former firewall configuration must be reviewed because 8.2.x version has many different commands that 8.4.x (for example, NAT)
View 19 Replies
View Related
Jan 31, 2012
I recently had a firewall that wasn't passing traffic (ASA 5510 running software version 9.1).It turned out it had 130000 active connections. Doing a "clear conn port 53" dropped the active connection count back to 38k, and the firewall started passing traffic again.
View 7 Replies
View Related
Jun 4, 2012
I have inherited the support of an ASA5520 running 8.0(3)12 code and I believe I have a pretty simple question here that I haven't been able to figure out on my own. I have a few users that connect to the box via IPSEC VPN client connections. They want to be able to leave up a RDP based connection, for monitoring purposes, for a most of the day, but thier RDP connection keeps getting discounnted after a few hours. The VPN connection never gets disconnected, just the RDP session running through it. I have another box running 8.0(4) code and they can leave up the RDP sessions as long as they like without getting disconnected from the server(s). I have compared the configs of both boxes and don't see any glsring differences in regards to the configuration that would cuase the RDP sessions to either to stay up or be disconnected after an inactivity type scenario.
What to look for in regards to identifying the timer that is disconnecting the RDP session after a period of time.
View 2 Replies
View Related
Aug 30, 2011
I have a 5505 for a small business that has one web server. The web server has a static NAT entry to an IP address and not an interface. There is an access rule allowing any HTTP traffic to the outside IP of the web server. From the web server I can't access the Internet.
All other computers on the network can access the Internet using a dynamic nat rule that uses the outside interface. The web server is accessible from a computer behind the firewall.
If I delete the static NAT entry for the web server I can get on the Internet.
I have turned debugging on and see that an outbound connection is built and then 30 seconds later the connection is torn down with the bytes 0 SYN Timeout message.
I am running 8.0(5).
View 3 Replies
View Related
Oct 25, 2011
I configured multiple vlan on my Cisco ASA5520. Everything work perfectly except RDP (3389) connections. The connections are established but but after a period of inactivity, the user is disconnected from server (black screen). The same problem happens with other type of connections (client/server), exemple : Oracle, file sharing. Before installing the ASA, computers and servers were in the same vlan and it worked well.
There's a notion of inter vlan timeout connection ?
View 5 Replies
View Related
Aug 18, 2011
What does a pinhole timeout indicate? [code]
ASA 5505 8.4(2)
View 2 Replies
View Related
Feb 15, 2013
We had an issue the other day where doing backups through the firewall (don't ask) caused the "control" session to timeout while the backups were still going on over the "data" connection. This broke the backup about two hours into the job. My first thought was that the backup solution vendor should implement some kind of tcp keepalive for the control connection. A packet capture showed they indeed were -- after 2 hours! Ah ha! Busted! How could they choose such a poor choice of TCP keepalive timer for their application that would not be compatible with the 60 minute inactivity timer that so many firewall vendors use (Cisco, Juniper, Checkpoint and Fortinet all use a default 60 minute inactivity timer for TCP)?
Well, a colleague of mine pointed out that there is actually an old RFC that covers this. RFC 1122. It says:
Keep-alive packets MUST only be sent when no data or acknowledgement packets have been received for the connection within an interval. This interval MUST be configurable and MUST default to no less than two hours.
Now I know that RFC is old (October 1989), but that's all I could find. Is there something that supercedes that? Maybe common sense perhaps? I understand not wanting to fill up your connection table because of mis-behaving applications, but I'm just looking for ammunition to use against the backup solution vendor. Surely they're going to point to this RFC.
ASA(config)# timeout conn ?
configure mode commands/options:
0:0:0 | <0:5:0> - <1193:0:0> Idle time after which a TCP connection state
will be closed, default is 1:00:00
<0-0> Specify this value to never time out
View 1 Replies
View Related
Jun 2, 2010
When users are VPN connected their telnet sessions timeout after an hour of inactivity. Looking at the connections on the firewall they are showing as idle. Is there a configuration change or something else that has to be modified?
View 2 Replies
View Related
Aug 23, 2012
I am on version 8.2(1) of ASA Code.When accessing a SQL server on a secure internal interface,(Traffic is sourcing from DMZ) i'm getting some timeouts on the initial connection on port 1433. All subsequent connections work fine. Packet tracer shows the connection builds properly, and shouldn't have a connectivity issue. The problem server is a webserver that connects back through the firewall to access the SQL server on port 1433. We also have many other webservers in the DMZ which access the same SQL server, but do not have the same timeout issues. Here are my timeouts, from the config
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
arp timeout 14400
I've seen a couple articles about increasing the tcp timeout to 3 hours for the DMZ interface?
View 1 Replies
View Related
Apr 13, 2011
How to verify on the asa 5510 , the vpn-idle timeout,is running on default setting(30mts)
View 3 Replies
View Related
Mar 29, 2011
I am using a Pix 515 with IOS 8.0(3).I have in my access list on the outside interface.......access-list outside_access_in extended permit icmp any 12.23.34.0 255.255.255.0 echo access-list outside_access_in extended permit icmp any 12.23.34.0 255.255.255.0 echo-reply.......in order to allow ping requests and ping replies into my inside network. This certainly works since I can ping the inside from outside and vice versa, but in the ASDM display of access rules, the hit count for these two lines is always zero. If I run 'show access-list', the hit count for these lines is non-zero.
Why doesn't the hit count show up in the ASDM gui display?Also, I have read that the PIX does not treat ICMP in the same way as TCP or UDP and there is no stateful behaviour towards ICMP. However, if I set up a continuous ping from outside to inside and then disable the above access list rule allowing echo requests towards the inside, the ping continues whereas I would expect it to stop.
In the config there is 'timeout icmp 00:00:02' if there is no stateful connection for ICMP, why is there a timeout value for it?
View 4 Replies
View Related
Jul 19, 2007
I have an ASA5505 running ver 8.0(2). I have configured the ssh timeout, ssh host commands and did the crypt o key gen. I am unable to access the device from the host I am allowing. Is there like ca save all command required? I am trying to use the default pix and telnet password. Do those still work?
View 3 Replies
View Related
Oct 15, 2011
Our client tried to a download a real time generated file from a website, the generation process around 5 mins, after 5 mins, the file will be started to download
When my client direct connect to internet, the file can be download successfully, but when pass through the ASA 5510 and using the internal IP address, a message something like "Are you sure want to logout from this web page?" appears in Safari after 5 mins, i think the time of the error message appear when a "you can start to download" message send from the server to client, the page session timeout so that make the user cannot download the file from internet as the session is not vaild.
I couldn't find any timeout setting in "show runn", is it possible the setting in ASDM? how can I find it and configure it?
View 5 Replies
View Related
Nov 28, 2012
Version: Cisco ASA 5510 8.4(4)1
I've installed cisco asa 5510.
When I "show local-host all detail connection "
Normal situation:
105 myfailover:10.255.255.2/0 NP Identity Ifc:10.255.255.1/0,
idle 0s, uptime 1D14h, timeout 2m0s, bytes 18196822
But I got this output ( timeout - )
[URL]
View 0 Replies
View Related
Aug 16, 2012
How do I, if I even can, adjust the MAC table timeout from 5 minutes to whatever is bigger and allowable?
I would like to also like to change the ARP table timeout as well.
View 4 Replies
View Related
Jan 16, 2011
I know there has already been a couple of threads on this but rather than add my question to the bottom of one of those I thought I would try afresh.
We have an 857W connected to the internet via ADSL. All works very well, however if I ping from an attached PC the first one always times out. If i ping from the router (ping { URL}source 192.168.18.1) I get !!!!! every time. Back to the PC and 'Request timed out' on the first.
The only way I have been able to resolve this is by using no ip cef. It then works as expected, first ping and all. The problem is after much reading, it is not ideal to disable cef.
View 21 Replies
View Related
Apr 19, 2011
I have a D-Link DIR-825.B1, which I've recently updated to the 2.04EU firmware. The update fixed some IPv6 problems I've had, but introduced an IPv4 problem instead: TCP NATs have a rediculesly low timeout of 60 seconds, which makes the router useless for most protocols.How do I set the NAT timeout for TCP connections?
View 4 Replies
View Related
Aug 1, 2011
If any authenticated user uses protocol other than (http, https) within timeout period, that user #is deuthenticated
View 1 Replies
View Related
Sep 7, 2011
I have several devices on the same subnet and with similar configuration. All of them were entered manually on the ACS server and are configured to authenticate using TACACS+. Some of the devices can authenticate ok, but other will timeout. I did a tcpdump on the firewall port and can see the device sending the SYN to the ACS server but the server sends no reply to the device.
View 3 Replies
View Related
Sep 9, 2012
my current setup: Windows XP machines authenticating wireless using 802.1X to a Cisco ACS 5.3 that redirects the request to Microsoft Active Directory. All the statements that I make below are what I have gathered from reading on forums, some of them might be incorrect.
In the ACS Under “External Identity Stores” and “Active Directory”, there is a check box called “Enable Machine Access Restrictions” if it is checked and the Aging time is set to 8 hours and a Windows XP machine authenticates using it’s Domain credentials it will gain access to the network but if that computer is not rebooted after the 8 hours is up, Windows XP will not send it machine credentials again, it will only send the user/pass of the user and will loose access to the network. The problem we have is that most of the users do not shutdown their computers when they go home, they hibernate the computers thus when they come back to the school the 8 hours aging time on the ACS has expired. The ACS expects to see the Windows XP machine send it’s domain credentials again but from every forum I have read on, Windows XP will not send it again until it get rebooted (FYI, Windows 7 will send the proper info, thus they work just fine). In the mean time I have changed the aging time to 8760 hours but this should only be temporary because it is a security risk to have the aging time set so high. Moving forward what are my options to make this work properly?
-Is there a way to fix Windows XP?
-Is there a recommendation on how to bypass this issue but still give us decent security?
-Is setting the aging time so high, a non security issue?
-I guess worst case scenario, the customer can try to educate all the students and staff to reboot their machines every morning?
View 4 Replies
View Related
Oct 16, 2011
I have deployed a 2504 controller with EAP-TLS however we are receiving the following errors where it appears the EAP response timeout from the client is expiring and not receiving a reply, this is happening with all clients.
We have three SSIDs one with EAP-FAST working perfectly, and a third with WPA2-AES itis only this where we are seeing the response appear to expire. Running code 7.0.116.0 on a WLC2504. RADIUS shared secrets all ok.
*Dot1x_NW_MsgTask_5: Oct 17 11:16:16.207: 00:19:7e:c3:ab:35 Sending EAP Request from AAA to mobile 00:19:7e:c3:ab:35 (EAP Id 224) *osapiBsnTimer: Oct 17 11:16:46.036: 00:19:7e:c3:ab:35 802.1x 'timeoutEvt' Timer expired for station 00:19:7e:c3:ab:35 and for message = M0 *dot1xMsgTask: Oct 17 11:16:46.037: 00:19:7e:c3:ab:35 Retransmit 1 of EAP-Request (length 14) for mobile 00:19:7e:c3:ab:35 *osapiBsnTimer: Oct 17 11:17:16.036:
[Code]....
View 4 Replies
View Related
Nov 30, 2011
The Cisco VPN client is disconnected after 4 hours of inactivity. Is there a setting on the ASA that would timeout after 4 hours? I want to disable this setting. I am running IOS 8.2(4).
View 3 Replies
View Related
May 1, 2013
Search for 'DIR-825 timeout' only returned a half page and none were relevant.
DIR-825 2.03NA - The web interface has a ridiculously low timeout value. 60 seconds maybe?
I can't build a list of MAC addresses, e.g., before it reaches the timeout. I try to save.... and I have to log back in. And my changes are gone.
What's maddening is that it WAS working the way I wanted, with seemingly no timeout, until recently when I had to basically re-do my network.
View 4 Replies
View Related
Mar 4, 2011
I have just updated myDIR-655 A4 to firmware 1.35NA by the procedure: save config > upload firmware > load config.However after upgrading, my admin page now logout after every ~10 sec of inactivity.I have tried the method where to view the admin page without a style, to be able to set the timeout period, from 5 mins to 3, 8 and 10 mins, but no matter what I set, it still logs me out after ~10 sec.
View 4 Replies
View Related
Aug 9, 2012
At the moment I am trying to connect to a DHCP ISP, but the connection only last for 10-15mins and then it will automatically disconnected. Every time I reset the WAN port , service back to normal for another 10-15 mins ><
[code]...
View 2 Replies
View Related
