https://community.cisco.com/t5/network-security/fwsm-tcp-reset-problem/m-p/1285548#M858279 <P>Hi All!</P><P></P><P>We have a strange problem regarding FWSM TCP connection timeout configuration using MPF: although the "reset" keyword has been set in policy-map, FWSM does not send any TCP-reset packet to the endpoints (monitored using WireShark).</P><P>We are using FWSM Firewall Version 4.0(3) and Device Manager Version 6.1(5)F</P><P></P><P>Please see the related configuration below:</P><P></P><P>Traffic originating from outside interface (source IP: 172.16.129.221) destined to an inside host (destination IP: 172.24.250.100) to TCP/22 or TCP/23.</P><P></P><P>!</P><P>access-list CONNS_TIMEOUT_TEST_ACL line 1 extended permit tcp host 172.16.129.221 host 172.24.250.100 eq ssh log disable</P><P>access-list CONNS_TIMEOUT_TEST_ACL line 1 extended permit tcp host 172.16.129.221 host 172.24.250.100 eq telnet log disable</P><P>!</P><P>!</P><P>service reset no-connection</P><P>!</P><P>class-map CONNS_TIMEOUT_TEST_CMAP</P><P> match access-list CONNS_TIMEOUT_TEST_ACL</P><P>!</P><P>policy-map CONNS_TIMEOUT_TEST_PMAP</P><P> class CONNS_TIMEOUT_TEST_CMAP</P><P> set connection timeout tcp 0:05:00 reset</P><P></P><P>!</P><P>icmp permit TESTNET_172.24.250.0 255.255.255.0 TESTNET_172.24.250.0/24</P><P>access-list TESTNET_172.24.250.0/24_access_in extended permit ip TESTNET_172.24.250.0 255.255.255.0 any log disable</P><P>!</P><P>object-group service TEST_OBJECT_GR tcp</P><P> port-object eq ssh</P><P> port-object eq telnet</P><P>access-list outside_access_in extended permit tcp host 172.16.129.221 host 172.24.250.100 object-group TEST_OBJECT_GR log disable</P><P>!</P><P>!</P><P>service-policy CONNS_TIMEOUT_TEST_PMAP interface outside</P><P>!</P><P></P><P>We are planning to upgrade the latest FWSM v4 software verion, because it seem to be a bug. Could anybody help me to solve this problem? </P><P>Any feedback would be appreciated! Thanks in advance! Belabacsi</P><P></P> Mon, 11 Mar 2019 16:04:51 GMT Bela Mareczky 2019-03-11T16:04:51Z https://community.cisco.com/t5/network-security/fwsm-tcp-reset-problem/m-p/1285548#M858279 <P>Hi All!</P><P></P><P>We have a strange problem regarding FWSM TCP connection timeout configuration using MPF: although the "reset" keyword has been set in policy-map, FWSM does not send any TCP-reset packet to the endpoints (monitored using WireShark).</P><P>We are using FWSM Firewall Version 4.0(3) and Device Manager Version 6.1(5)F</P><P></P><P>Please see the related configuration below:</P><P></P><P>Traffic originating from outside interface (source IP: 172.16.129.221) destined to an inside host (destination IP: 172.24.250.100) to TCP/22 or TCP/23.</P><P></P><P>!</P><P>access-list CONNS_TIMEOUT_TEST_ACL line 1 extended permit tcp host 172.16.129.221 host 172.24.250.100 eq ssh log disable</P><P>access-list CONNS_TIMEOUT_TEST_ACL line 1 extended permit tcp host 172.16.129.221 host 172.24.250.100 eq telnet log disable</P><P>!</P><P>!</P><P>service reset no-connection</P><P>!</P><P>class-map CONNS_TIMEOUT_TEST_CMAP</P><P> match access-list CONNS_TIMEOUT_TEST_ACL</P><P>!</P><P>policy-map CONNS_TIMEOUT_TEST_PMAP</P><P> class CONNS_TIMEOUT_TEST_CMAP</P><P> set connection timeout tcp 0:05:00 reset</P><P></P><P>!</P><P>icmp permit TESTNET_172.24.250.0 255.255.255.0 TESTNET_172.24.250.0/24</P><P>access-list TESTNET_172.24.250.0/24_access_in extended permit ip TESTNET_172.24.250.0 255.255.255.0 any log disable</P><P>!</P><P>object-group service TEST_OBJECT_GR tcp</P><P> port-object eq ssh</P><P> port-object eq telnet</P><P>access-list outside_access_in extended permit tcp host 172.16.129.221 host 172.24.250.100 object-group TEST_OBJECT_GR log disable</P><P>!</P><P>!</P><P>service-policy CONNS_TIMEOUT_TEST_PMAP interface outside</P><P>!</P><P></P><P>We are planning to upgrade the latest FWSM v4 software verion, because it seem to be a bug. Could anybody help me to solve this problem? </P><P>Any feedback would be appreciated! Thanks in advance! Belabacsi</P><P></P> Mon, 11 Mar 2019 16:04:51 GMT https://community.cisco.com/t5/network-security/fwsm-tcp-reset-problem/m-p/1285548#M858279 Bela Mareczky 2019-03-11T16:04:51Z https://community.cisco.com/t5/network-security/fwsm-tcp-reset-problem/m-p/1285549#M858280 <HTML><HEAD></HEAD><BODY><P>News: We have updated to the latest FWSM software version: v4.0(6) but the problem still exists.</P><P></P><P>I have tested the configuration using ASA software version v8.2.1 (above configuration + TCP state bypass global map) and sending TCP reset is OK with ASA!</P><P></P><P>Any idea? Maybe FWSM bug?</P><P></P><P>Any feedback would be appreciated! Thanks in advance! Belabacsi </P></BODY></HTML> Mon, 17 Aug 2009 07:29:10 GMT https://community.cisco.com/t5/network-security/fwsm-tcp-reset-problem/m-p/1285549#M858280 Bela Mareczky 2009-08-17T07:29:10Z https://community.cisco.com/t5/network-security/fwsm-tcp-reset-problem/m-p/1285550#M858281 <HTML><HEAD></HEAD><BODY><P>The URL below provides a sample configuration for PIX 7.1(1) and later of a timeout that is specific to a particular application such as SSH/Telnet/HTTP, as opposed to one that applies to all applications. This configuration example uses the new Modular Policy Framework introduced in PIX 7.0. This feature is not applicable in an IPsec VPN environment.</P><P></P><P>In this sample configuration, the PIX Firewall is configured to allow the workstation (10.77.241.129) to Telnet/SSH/HTTP to the remote server (10.1.1.1) behind the router. A separate connection timeout to Telnet/SSH/HTTP traffic is also configured. All other TCP traffic continues to have the normal connection timeout value associated with timeout conn 1:00:00.</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080624e19.shtml" target="_blank">http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080624e19.shtml</A></P><P></P><P></P></BODY></HTML> Mon, 17 Aug 2009 18:30:37 GMT https://community.cisco.com/t5/network-security/fwsm-tcp-reset-problem/m-p/1285550#M858281 vmoopeung 2009-08-17T18:30:37Z https://community.cisco.com/t5/network-security/fwsm-tcp-reset-problem/m-p/1285551#M858282 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I'm looking at this issue, once the TAC case has been resolved I'll let you know.</P><P><SPAN>Any further updates are welcome on </SPAN><A class="jive-link-email-small" href="mailto:amakovec@cisco.com">amakovec@cisco.com</A><SPAN>.</SPAN></P></BODY></HTML> Tue, 19 Oct 2010 14:43:58 GMT https://community.cisco.com/t5/network-security/fwsm-tcp-reset-problem/m-p/1285551#M858282 Adam Makovecz 2010-10-19T14:43:58Z https://community.cisco.com/t5/network-security/fwsm-tcp-reset-problem/m-p/1285552#M858283 <HTML><HEAD></HEAD><BODY><P>We are still investigating on the fix for this issue. It is more like a design question now. Soon we have some infos what we can share.</P></BODY></HTML> Wed, 27 Oct 2010 08:13:37 GMT https://community.cisco.com/t5/network-security/fwsm-tcp-reset-problem/m-p/1285552#M858283 Adam Makovecz 2010-10-27T08:13:37Z https://community.cisco.com/t5/network-security/fwsm-tcp-reset-problem/m-p/1285553#M858284 <HTML><HEAD></HEAD><BODY><P>Dear Adam!</P><P></P><P>Thanks for the info! <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P></P><P>Regards</P><P></P><P>Belabacsi</P><P>Budapest, Hungary</P></BODY></HTML> Wed, 27 Oct 2010 08:30:18 GMT https://community.cisco.com/t5/network-security/fwsm-tcp-reset-problem/m-p/1285553#M858284 Bela Mareczky 2010-10-27T08:30:18Z https://community.cisco.com/t5/network-security/fwsm-tcp-reset-problem/m-p/1285554#M858285 <HTML><HEAD></HEAD><BODY><P> Hi Adam - Is there any update after this..? We are also facing same kind of strange REST-I issue in our FWSM Firewalls.</P><P></P><P>Regards...KSA</P></BODY></HTML> Thu, 04 Aug 2011 10:45:55 GMT https://community.cisco.com/t5/network-security/fwsm-tcp-reset-problem/m-p/1285554#M858285 santosh.madaiah 2011-08-04T10:45:55Z https://community.cisco.com/t5/network-security/fwsm-tcp-reset-problem/m-p/1285555#M858286 <HTML><HEAD></HEAD><BODY><P>Dear Bélabá! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Született-e már megoldás a fentebb vázolt problémára.</P><P></P><P>Egy kis RST nekünk is kellene a ritkábban használt TCP kapcsolatoknál!</P><P></P><P>Üdv,</P></BODY></HTML> Fri, 23 Sep 2011 13:17:54 GMT https://community.cisco.com/t5/network-security/fwsm-tcp-reset-problem/m-p/1285555#M858286 KAROLY KOHEGYI 2011-09-23T13:17:54Z https://community.cisco.com/t5/network-security/fwsm-tcp-reset-problem/m-p/1285556#M858287 <HTML><HEAD></HEAD><BODY><P>Dear Károly! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Sajnos jelen állapotában az FWSM továbbra sem küld TCP-RESET-et, számunka is nagyon hiányzik ennek lehetősége. (Jelenleg v4.1(6) verziót használunk.) Arról nincs információm, hogy az ASASM megjelenése az FWSM-es fejlesztéseket hogy fogja befolyásolni, de remélem hamarosan implementálásra kerül a funkció <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Üdvözlettel:</P><P></P><P>Bélabá</P></BODY></HTML> Mon, 10 Oct 2011 11:48:46 GMT https://community.cisco.com/t5/network-security/fwsm-tcp-reset-problem/m-p/1285556#M858287 Bela Mareczky 2011-10-10T11:48:46Z https://community.cisco.com/t5/network-security/fwsm-tcp-reset-problem/m-p/1285557#M858288 <HTML><HEAD></HEAD><BODY><P>Thank you! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Mon, 10 Oct 2011 11:54:35 GMT https://community.cisco.com/t5/network-security/fwsm-tcp-reset-problem/m-p/1285557#M858288 KAROLY KOHEGYI 2011-10-10T11:54:35Z