topic Re: UDP timeout on FWSM in Network Security https://community.cisco.com/t5/network-security/udp-timeout-on-fwsm/m-p/1931812#M457950 <HTML><HEAD></HEAD><BODY><P>Hi , </P><P></P><P>If you do not have any policy-map applied that changes the UDP/123 timeouts, it might be a bug.</P><P></P><P>CSCso29047 Bug Details</P><P></P><TABLE border="0" cellpadding="5" cellspacing="2" style="color: #000000; font-family: Arial, Helvetica, sans-serif; text-align: -webkit-auto; background-color: #ffffff;" width="100%"><TBODY><TR style="vertical-align: top;"><TD colspan="2" style="font-size: 12px; padding: 8px;"><STRONG>set random-seq-number disable in MPC affects on UDP/ICMP conn timeout</STRONG></TD></TR><TR style="vertical-align: top;"><TD style="padding-left: 8px; padding-right: 8px; font-size: 12px; padding-bottom: 8px;" valign="top"><STRONG>Symptom:</STRONG><P></P>When random-sequence-number is disabled in policy-map, this causes the UDP connection timeout set to 60 minutes when global timeout for UDP/ ICMP is set to two minutes.<P></P><STRONG><STRONG>Conditions</STRONG>:</STRONG><P></P>Random-sequence-number is disabled in policy-map.<P></P><STRONG>Workaround:</STRONG><P></P>Do not disable random-sequence-number feature</TD></TR></TBODY></TABLE><P></P><P></P><P></P><P>If this is not the case, you can try opening a TAC case.</P><P>In my opinion I would upgrade the software first.</P><P></P><P></P><P>Regards</P><P>Dan</P></BODY></HTML> Tue, 20 Mar 2012 06:51:10 GMT Dan-Ciprian Cicioiu 2012-03-20T06:51:10Z UDP timeout on FWSM https://community.cisco.com/t5/network-security/udp-timeout-on-fwsm/m-p/1931811#M457946 <P>Hi,</P><P></P><P>I have an issue where udp idle sessions are not being closed after the configured 2 minute timeout, but instead staying open for 1 hour. </P><P></P><P><STRONG>FWSM Version</STRONG></P><P>FWSM Firewall Version 4.0(12)</P><P></P><P></P><P><STRONG>Timeout configuration</STRONG></P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P></P><P><STRONG>Connections</STRONG></P><P>fwsm# show conn</P><P>UDP InterfaceA 192.168.1.1:123 InterfaceB 192.168.2.1:64795 idle 0:28:16 Bytes 376 FLAGS -</P><P>UDP InterfaceA 192.168.1.1:123 InterfaceB 192.168.2.1:53936 idle 0:18:15 Bytes 376 FLAGS -</P><P>UDP InterfaceA 192.168.1.1:123 InterfaceB 192.168.2.1:54244 idle 0:58:18 Bytes 376 FLAGS -</P><P>UDP InterfaceA 192.168.1.1:123 InterfaceB 192.168.2.1:52696 idle 0:38:17 Bytes 376 FLAGS -</P><P>UDP InterfaceA 192.168.1.1:123 InterfaceB 192.168.2.1:50206 idle 0:08:15 Bytes 376 FLAGS - </P><P>UDP InterfaceA 192.168.1.1:123 InterfaceB 192.168.2.1:54245 idle 0:48:18 Bytes 376 FLAGS -</P><P></P><P>NOTE: 192.168.2.1 is a PC polling an NTP (192.168.1.1) server every 10 minutes.</P><P></P><P></P><P>Any help would be greatly appreciated.</P><P></P><P>Cheers</P> Mon, 11 Mar 2019 22:44:17 GMT https://community.cisco.com/t5/network-security/udp-timeout-on-fwsm/m-p/1931811#M457946 inthemix1 2019-03-11T22:44:17Z Re: UDP timeout on FWSM https://community.cisco.com/t5/network-security/udp-timeout-on-fwsm/m-p/1931812#M457950 <HTML><HEAD></HEAD><BODY><P>Hi , </P><P></P><P>If you do not have any policy-map applied that changes the UDP/123 timeouts, it might be a bug.</P><P></P><P>CSCso29047 Bug Details</P><P></P><TABLE border="0" cellpadding="5" cellspacing="2" style="color: #000000; font-family: Arial, Helvetica, sans-serif; text-align: -webkit-auto; background-color: #ffffff;" width="100%"><TBODY><TR style="vertical-align: top;"><TD colspan="2" style="font-size: 12px; padding: 8px;"><STRONG>set random-seq-number disable in MPC affects on UDP/ICMP conn timeout</STRONG></TD></TR><TR style="vertical-align: top;"><TD style="padding-left: 8px; padding-right: 8px; font-size: 12px; padding-bottom: 8px;" valign="top"><STRONG>Symptom:</STRONG><P></P>When random-sequence-number is disabled in policy-map, this causes the UDP connection timeout set to 60 minutes when global timeout for UDP/ ICMP is set to two minutes.<P></P><STRONG><STRONG>Conditions</STRONG>:</STRONG><P></P>Random-sequence-number is disabled in policy-map.<P></P><STRONG>Workaround:</STRONG><P></P>Do not disable random-sequence-number feature</TD></TR></TBODY></TABLE><P></P><P></P><P></P><P>If this is not the case, you can try opening a TAC case.</P><P>In my opinion I would upgrade the software first.</P><P></P><P></P><P>Regards</P><P>Dan</P></BODY></HTML> Tue, 20 Mar 2012 06:51:10 GMT https://community.cisco.com/t5/network-security/udp-timeout-on-fwsm/m-p/1931812#M457950 Dan-Ciprian Cicioiu 2012-03-20T06:51:10Z