CISCO ASA firewall connections not getting timeout

Sanjay S N — Tue, 12 Mar 2019 07:40:25 GMT

Hi,

I'm seeing connections which are established through ASA are not getting cleared from connection table.

I've defined the time out conn globally on the firewall, but not seeing that idle connections are not getting timeout & removed from the connection table.

timeout conn 1:10:00 half-closed 0:10:00 udp 0:01:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 1:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:00:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00

Below are some of the connection count which are observed to be more than configured timeline.

UDP dmz1 y.y.y.y:162 inside x.x.x.x:162, idle 227:28:39, bytes 9946115, flags -

TCP dmz1 z.z.z.z:22 inside x.x.x.x:64880, idle 243:16:17, bytes 13755432, flags UI

UDP dmz1 y.y.y.y:162 inside x.x.x.x:49962, idle 640:41:09, bytes 1599882, flags -

TCP dmz1 a.a.a.a:22 inside x.x.x.x:56750, idle 600:06:46, bytes 148361, flags UIO

Some connections are having there flag set which says its up, but whereas many are not having any flags set(empty).

I'm running with 9.1(2) code.

Hi Sanjay,

Rishabh Seth — Sat, 30 Apr 2016 18:37:42 GMT

Hi Sanjay,

The behaviour you are noticing does not look normal as the device is configured for specific timeouts.

I would suggest you to check following defect which is reported for ASA.

Here is a link for defect:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuh13899/?reffering_site=dumpcr

Hope it helps...

Thanks,

topic Hi Sanjay, in Network Security

CISCO ASA firewall connections not getting timeout

Hi Sanjay,