topic Hi VibhorThe FWSM in Network Security

FWSM does not clear UDP connections properly

josephqiu — Tue, 12 Mar 2019 06:28:45 GMT

I'm having an issue with the FWSM that is not clearing the idle UDP connections properly. The configuration has the UDP idle timeout set for 2 minutes. But I'm seeing the UDP connections not cleared until 30 minutes.

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

UDP outside 10.2.107.211:55004 inside 10.224.16.55:389 idle 0:26:51 Bytes 810 FLAGS - b
UDP outside 10.2.13.201:51782 inside 10.3.14.79:161 idle 0:22:30 Bytes 382 FLAGS - b
UDP outside 10.2.69.248:60113 inside 10.224.16.230:53 idle 0:13:29 Bytes 950 FLAGS - bD

Compared with other FWSM's on other 6509's (same model, same OS, almost same configs), only this particular one has the issue. I don't have a policy-map to set UDP timeout for any traffic, and I don't have "inspect dns" in the global policy-map as well.

Maybe I'm hitting a bug? Any suggestion would be appreciated.

Hi,Can you post the FWSM

Vibhor Amrodia — Sun, 30 Aug 2015 15:34:40 GMT

Hi,

Can you post the FWSM configuration ?

I am seeing the "b" flag which means that these have State Byapss configured.

Thanks and Regards,

Vibhor Amrodia

Hi VibhorI think you have a

josephqiu — Sun, 30 Aug 2015 17:16:40 GMT

Hi Vibhor

I think you have a good point there. I totally missed the "b" flag, and I do believe we have a state bypass configured. I will check the configuration and do some testing if possible. Will update the post.

Appreciate your help!

Joseph

Hi VibhorThe FWSM

josephqiu — Mon, 31 Aug 2015 05:41:13 GMT

Hi Vibhor

The FWSM configuration is attached. tcp-state-bypass is enabled for all IP traffic. I did a test by exclude the traffic for a testing PC (adding "deny" lines in the ACL). But UDP traffics for the testing PC are still not cleared properly.

UDP outside 10.2.2.40:137 inside 10.224.16.232:137 idle 0:04:03 Bytes 68544 FLAGS - b
UDP outside 10.2.2.40:138 inside 10.224.16.53:138 idle 0:04:05 Bytes 26216 FLAGS - b
UDP outside 10.2.2.40:3229 inside 10.224.16.53:389 idle 0:28:12 Bytes 820 FLAGS - b
UDP outside 10.2.2.40:52113 inside 10.224.16.230:53 idle 0:06:11 Bytes 736 FLAGS - bD
UDP outside 10.2.2.40:59607 inside 10.224.16.230:53 idle 0:19:03 Bytes 620 FLAGS - bD

Any other thoughts?

Thanks again.

Joseph

Hi,From the connections

Vibhor Amrodia — Mon, 31 Aug 2015 18:39:21 GMT

Hi,

From the connections outputs , I still see them being classified by the TCP state Bypass policy.

Thanks and Regards,

VIbhor Amrodia

Yes the "b" flag is still

josephqiu — Mon, 31 Aug 2015 19:05:11 GMT

Yes the "b" flag is still there. But why the TCP state bypass is affecting UDP connections? Also, I have added the deny lines to exclude the testing traffics. Looks like the "deny" lines are just ignored.

Hi,Yes , it seems to be and

Vibhor Amrodia — Mon, 31 Aug 2015 19:11:28 GMT

Hi,

Yes , it seems to be and also did you try to clear the connections after making the changes to the Byapss ACL ?

Thanks and Regards,

Vibhor Amrodia

Yes, I did clear all

josephqiu — Mon, 31 Aug 2015 19:32:16 GMT

Yes, I did clear all connections for that testing PC.