topic Cisco ASA 8.4.3: Infinite SunRPC inspection timeout possible? in Network Security

Cisco ASA 8.4.3: Infinite SunRPC inspection timeout possible?

Bernhard Roth — Mon, 11 Mar 2019 22:54:57 GMT

Hello!

We have an ASA5520 firewall which is used to secure some servers in the office. One server in the DMZ is accessing a NFS share on a higher security-level interface.

To make this work, we have allowed port 111 and enabled sunrpc-server as well as protocol inspection.

So far so good.

The mount and operation works fine but after <timeout> the session on the ASA gets closed.

This happens even if there is continous traffic via NFS.

The timeout setting seems to be an overall timeout for the translation and not only an idle-timeout (which would make sense)

configure mode commands/options:

timeout Idle time after which the hole for the SUNRPC service traffic will

be closed

How can I make the translation permanent, NOT timeouting after a fixed time?

Configuring 00:00:00 as timeout setting is not accepted in the CLI

Thank you and best regards,

Bernhard

Re: Cisco ASA 8.4.3: Infinite SunRPC inspection timeout possible

Jouni Forss — Tue, 17 Apr 2012 16:51:27 GMT

Hi,

Seems to be possible

Cisco material states the following for your software version

timeout {conn | floating-conn | h225 | h323 | half-closed | icmp | mgcp | mgcp-pat | pat-xlate | sip | sip-disconnect | sip-invite | sip_media | sip-provisional-media | sunrpc | tcp-proxy-reassembly | udp | xlate} hh:mm:ss

sunrpc

Specifies the idle time after which a SUNRPC slot will be closed, between 0:1:0 and 1193:0:0. The default is 10 minutes (0:10:0). Use 0 to never time out a connection.

- Jouni

Re: Cisco ASA 8.4.3: Infinite SunRPC inspection timeout possible

Bernhard Roth — Tue, 17 Apr 2012 17:25:22 GMT

I saw that but how do the settings correlate to each other?

Per sunrpc-server timeout setting e.g.

sunrpc-server intdmz 10.1.2.3 255.255.255.255 service 100005 protocol TCP port 111 timeout 02:00:00

and the global setting

timeout sunrpc 0

In my understanding it would make far more sense to have the global setting as default but with the ability to specify an optional timeout, for example:

Global timeout set to 30 minutes:

timeout sunrpc 00:30:00

Protocol inspection without timeout setting (uses global value, RFE)

sunrpc-server intdmz 10.1.2.3 255.255.255.255 service 100005 protocol TCP port 111

Protocol inspection with individual timeout setting

sunrpc-server intdmz 10.1.2.3 255.255.255.255 service 100005 protocol TCP port 111 timeout 02:00:00

Protocol inspection with infinite timeout setting (RFE)

sunrpc-server intdmz 10.1.2.3 255.255.255.255 service 100005 protocol TCP port 111 timeout 00:00:00

This will not break any existing configurations from previous ASA software releases.

Feedback welcome.

Best regards,

Bernhard

Re: Cisco ASA 8.4.3: Infinite SunRPC inspection timeout possible

Bernhard Roth — Tue, 17 Apr 2012 18:27:31 GMT

Some additional informations:

I just configured "timeout sunrpc 0" and in the sunrpc-server statement a timeout of 10 minutes.

After exactly 10 minutes the client reports error messages and the session on the ASA is closed ("sh sun ac")

What to do?