topic Re: FWSM sysopt connection timewait ? in Network Security

FWSM sysopt connection timewait ?

patoberli — Mon, 11 Mar 2019 18:52:48 GMT

Is the command 'sysopt connection timewait' available on the FWSM 3.2? There is something written in the manual: [quote]

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, 3.2 -- Whole Book PDF" available on the page you sent me to and go to page 6-86 we see the following.

Command

sysopt connection timewait

Description

Forces each TCP connection to linger in a shortened TIME_WAIT state after the final normal TCP close-down sequence

[/quote]

But on the other hand it's not listed as an available command in the list of commands...

So is it available? What are the options for configuring it? What is the impact for the network?

Our backupsoftware supplier asked us to lower it to 30 seconds or less.

thanks

pato

Re: FWSM sysopt connection timewait ?

Jennifer Halim — Mon, 11 Oct 2010 09:33:51 GMT

The command "sysopt connection timewait" is a global command that is no longer available on version 3.2.

You can configure the same feature with MPF with configuring specific traffic that you would like to lower the TCP timewait on.

Here is the command reference:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/command/reference/s1.html#wp2699979

Hope that helps.

Re: FWSM sysopt connection timewait ?

patoberli — Mon, 11 Oct 2010 10:57:10 GMT

Thanks for your answer. In that case we can't change it to a time that the manufactor would like to have (around 5-10

seconds).

Re: FWSM sysopt connection timewait ?

Jennifer Halim — Mon, 11 Oct 2010 11:08:06 GMT

On FWSM architecture, the connection is actually removed as soon as they are closed, hence the "sysopt connection timewait" actually serves no purpose, hence it is no longer available in the later version.

What is your software vendor actually trying to achieve? Do they want to close down the connection around 5-10 seconds after the TCP session is idle? If that is what they are trying to achieve, then you can implement it using the "set connection timeout" command advised earlier.

Re: FWSM sysopt connection timewait ?

patoberli — Mon, 11 Oct 2010 11:17:39 GMT

The issue is that the software tries to re-use the same port for a new connection. The firewall will block that with:

%FWSM-6-106028: Deny TCP (Connection marked for Deletion) from x.x.x.x/xx to x.x.x.x/xx flags SYN on interface inside

And this itself is caused because of the time_wait period which seems to be set to 240 seconds. What I would need is to lower that one to 10-30 seconds.

The set connection timeout tcp or idle has a minimum of 5 minutes as per your attached link.