https://community.cisco.com/t5/network-security/cisco-asa-tcp-reset/m-p/4396854#M1080450 <P>Hello Experts!</P><P>So i have a problem that the server has tcp reset flag. My customer want to know is there any way that the cisco ASA reset the tcp connection?&nbsp;</P><P>In my understanding that the asa will reset the connection when the tcp session is idle for 1 hour (am i correct?). Is there any possibility that asa reset the tcp connection?&nbsp;</P><P>Fyi tcp port, and ip source/dest is legit and allowed in asa rules.</P> Mon, 03 May 2021 05:57:31 GMT SubnetWarrior 2021-05-03T05:57:31Z https://community.cisco.com/t5/network-security/cisco-asa-tcp-reset/m-p/4396854#M1080450 <P>Hello Experts!</P><P>So i have a problem that the server has tcp reset flag. My customer want to know is there any way that the cisco ASA reset the tcp connection?&nbsp;</P><P>In my understanding that the asa will reset the connection when the tcp session is idle for 1 hour (am i correct?). Is there any possibility that asa reset the tcp connection?&nbsp;</P><P>Fyi tcp port, and ip source/dest is legit and allowed in asa rules.</P> Mon, 03 May 2021 05:57:31 GMT https://community.cisco.com/t5/network-security/cisco-asa-tcp-reset/m-p/4396854#M1080450 SubnetWarrior 2021-05-03T05:57:31Z https://community.cisco.com/t5/network-security/cisco-asa-tcp-reset/m-p/4396864#M1080451 <P>You are correct, default tcp idle timeout is :</P> <PRE>sh run | inc timeout timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02</PRE> <P>The best way to t-shoot this will be to take pcap on the incoming and outgoing traffic interface to prove if the reset is sent by ASA or from the backend.</P> <P>&nbsp;</P> <P>Regards,</P> <P>Chakshu</P> <P>&nbsp;</P> <P>Hope this helps!</P> Mon, 03 May 2021 06:26:46 GMT https://community.cisco.com/t5/network-security/cisco-asa-tcp-reset/m-p/4396864#M1080451 Chakshu Piplani 2021-05-03T06:26:46Z https://community.cisco.com/t5/network-security/cisco-asa-tcp-reset/m-p/4396865#M1080452 <P>Hello sir thx for the enlighment,&nbsp;</P><P>Unfortunetaly that the pcap just on one server, and there is none on the far-end server.</P><P>So what happend when the tcp session is more than 1 hour on asa? Does asa send tcp reset flag to both server?</P> Mon, 03 May 2021 06:34:01 GMT https://community.cisco.com/t5/network-security/cisco-asa-tcp-reset/m-p/4396865#M1080452 SubnetWarrior 2021-05-03T06:34:01Z https://community.cisco.com/t5/network-security/cisco-asa-tcp-reset/m-p/4396879#M1080454 <P>That's the timeout value for connection that asa maintains, read more here:</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall/asa-firewall-cli/conns-connlimits.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall/asa-firewall-cli/conns-connlimits.html</A></P> <P>&nbsp;</P> <P>I was asking to take pcap on the incoming and outgoing interface of ASA and not the servers, read more here:</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html#anc10" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html</A></P> <P>&nbsp;</P> <P>Regards,</P> <P>Chakshu</P> <P>&nbsp;</P> <P>Hope this helps!</P> Mon, 03 May 2021 06:52:44 GMT https://community.cisco.com/t5/network-security/cisco-asa-tcp-reset/m-p/4396879#M1080454 Chakshu Piplani 2021-05-03T06:52:44Z https://community.cisco.com/t5/network-security/cisco-asa-tcp-reset/m-p/4396881#M1080455 <P>When the one side TCP reset send, the session closed and the TCP needs to re-established again.</P> <P>here are default TCP Reset timers :</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/conns-connlimits.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/conns-connlimits.html</A></P> <P>&nbsp;</P> <P>I have seen some application required TCP session always open, if not application required to restart manually to establish a connection,</P> <P>in that case, you need to configured TCP state&nbsp; bypass as below :</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118995-configure-asa-00.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118995-configure-asa-00.html</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 03 May 2021 06:56:56 GMT https://community.cisco.com/t5/network-security/cisco-asa-tcp-reset/m-p/4396881#M1080455 balaji.bandi 2021-05-03T06:56:56Z