topic FWSM idle connection issues? in Network Security https://community.cisco.com/t5/network-security/fwsm-idle-connection-issues/m-p/1897124#M437331 <P>Hey all,</P><P></P><P>We are experiencing an odd issue that may be related to our FWSM. Our DBAs are experiencing timeout issues when running Oracle SQLNet queries for connections that are anywhere between 30 minutes and 60 minutes idle. I can say with certainty that after 60 minutes the connection is lost, less than that I do not have concrete evidence yet. We have run some packet captures and analyzed the data using a third party analysis tool with their engineers and have found very little to say it is network. The DBAs say it isn't the database a setting on the clients and that the issue appears to have begun back when we implemented performance modifcations on our FWSM - upping the default mss from 1380 to 1460 and disabling TCP sequence randomization.</P><P></P><P>I saw another post on here that appeared to be similar, but I didn't; quite understand the "Correct Answer" solution or how to use it as it was quite generic.</P><P></P><P>We are running FWSM code 3.1(9)</P><P></P><P>Here is a listing of our timeouts and policies:</P><P></P><P>timeout xlate 3:00:00</P><P>timeout conn 4:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00</P><P>timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00</P><P>timeout uauth 0:05:00 absolute</P><P></P><P></P><P>class-map sqltraffic</P><P> match access-list sqltraffic</P><P>class-map TCP</P><P> match port tcp range 1 65535</P><P>class-map class_sip_tcp</P><P> match port tcp eq sip</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P></P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect ftp</P><P>&nbsp; inspect h323 h225</P><P>&nbsp; inspect h323 ras</P><P>&nbsp; inspect rsh</P><P>&nbsp; inspect sunrpc</P><P>&nbsp; inspect ils</P><P>&nbsp; inspect icmp</P><P> class class_sip_tcp</P><P>&nbsp; inspect sip</P><P> class sqltraffic</P><P>&nbsp; inspect sqlnet</P><P> class TCP</P><P>&nbsp; set connection random-sequence-number disable</P><P></P><P>sysopt connection tcpmss 1460</P><P></P><P></P><P>We plan to take the tcpmss back to default of 1380 and remove the class TCP to re-enable random-sequence-number </P><P></P><P>However I am curious if just having the class TCP in there, does this override the global timeout connection of 4:00:00 (4hr) ?</P><P></P><P>Thanks!</P><P></P><P>-dan</P> Mon, 11 Mar 2019 23:04:54 GMT Daniel Foerst 2019-03-11T23:04:54Z FWSM idle connection issues? https://community.cisco.com/t5/network-security/fwsm-idle-connection-issues/m-p/1897124#M437331 <P>Hey all,</P><P></P><P>We are experiencing an odd issue that may be related to our FWSM. Our DBAs are experiencing timeout issues when running Oracle SQLNet queries for connections that are anywhere between 30 minutes and 60 minutes idle. I can say with certainty that after 60 minutes the connection is lost, less than that I do not have concrete evidence yet. We have run some packet captures and analyzed the data using a third party analysis tool with their engineers and have found very little to say it is network. The DBAs say it isn't the database a setting on the clients and that the issue appears to have begun back when we implemented performance modifcations on our FWSM - upping the default mss from 1380 to 1460 and disabling TCP sequence randomization.</P><P></P><P>I saw another post on here that appeared to be similar, but I didn't; quite understand the "Correct Answer" solution or how to use it as it was quite generic.</P><P></P><P>We are running FWSM code 3.1(9)</P><P></P><P>Here is a listing of our timeouts and policies:</P><P></P><P>timeout xlate 3:00:00</P><P>timeout conn 4:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00</P><P>timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00</P><P>timeout uauth 0:05:00 absolute</P><P></P><P></P><P>class-map sqltraffic</P><P> match access-list sqltraffic</P><P>class-map TCP</P><P> match port tcp range 1 65535</P><P>class-map class_sip_tcp</P><P> match port tcp eq sip</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P></P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect ftp</P><P>&nbsp; inspect h323 h225</P><P>&nbsp; inspect h323 ras</P><P>&nbsp; inspect rsh</P><P>&nbsp; inspect sunrpc</P><P>&nbsp; inspect ils</P><P>&nbsp; inspect icmp</P><P> class class_sip_tcp</P><P>&nbsp; inspect sip</P><P> class sqltraffic</P><P>&nbsp; inspect sqlnet</P><P> class TCP</P><P>&nbsp; set connection random-sequence-number disable</P><P></P><P>sysopt connection tcpmss 1460</P><P></P><P></P><P>We plan to take the tcpmss back to default of 1380 and remove the class TCP to re-enable random-sequence-number </P><P></P><P>However I am curious if just having the class TCP in there, does this override the global timeout connection of 4:00:00 (4hr) ?</P><P></P><P>Thanks!</P><P></P><P>-dan</P> Mon, 11 Mar 2019 23:04:54 GMT https://community.cisco.com/t5/network-security/fwsm-idle-connection-issues/m-p/1897124#M437331 Daniel Foerst 2019-03-11T23:04:54Z