03-18-2013 05:06 AM - edited 03-11-2019 06:15 PM
Hi.
We have a quite new setup with ASA 5545-X and using it for WAN-firewalling to protect our Datacenter from the rest of our organization.
We have had trouble with specific Oracle-traffic from one site that gets broken down after 1 hour of idle time in the client-application.
What I would like to do is to raise the Timeout-value to 8 hours for traffic to that specific Oracle host from the problematic site.
The Orcale host has this "fake" IP 192.168.101.100 (Destination_Host)
And the site with problem has this "fake" IP-network: 192.168.102.0/24 (Source_Network)
The source and destination are on different interfaces.
Could anyone advice me what's wrong in this configuration?
Because when I run a Packet Trace in ASDM it doesn't show any trace of hitting this specific Class (Specific_Host_Traffic) and corresponding Class-Map. The config is made from ASDM.
Thanks!
/Gustaf
object network Source_Network
subnet 192.168.102.0 255.255.255.0
object network Destination_Host
host 192.168.101.100
<multiple access-lists>
access-list global_mpc extended permit ip object Source_Network object Destination_Host
class-map inspection-default
class-map Specific_Host_Traffic
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
class-map netflow
match any
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global-policy
policy-map global_policy
class Specific_Host_Traffic
set connection timeout idle 8:00:00
class inspection_default
inspect dcerpc
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
class class-default
set connection decrement-ttl
!
service-policy global_policy global
Message was edited by: Morten Sandholdt
Solved! Go to Solution.
03-22-2013 04:19 PM
Ok, it just looks like it is not matching the class-map we created for it.
Try this:
Let's remove the policy-map and apply it again.
no service-policy global_policy global
service-policy global_policy global
Then, let's clear all the connections going to "192.168.101.100".
"Clear local 192.168.101.100"
That should do it.
03-18-2013 01:17 PM
Can you try to create a specific Access-list only for this traffic? Get it out of the "global_mpc" group.
Do a "show local X.X.X.X" where X.X.X.X is the internal IP of the host from the internal network and confirm that t is connecting to 192.168.101.100.
03-18-2013 03:16 PM
How do you mean with " try to create a specific Access-list only for this traffic? Get it out of the "global_mpc" group"?
I did it through ASDM so I'm not a master in CLI.
I did see the traffic being built and also getting torn down in the Logs. So I'm convinced it's the correct addresses.
Any other ideas?
/Gustaf
03-18-2013 05:55 PM
I mean that we can create a unique set of Access-lists just for the traffic we want to match.
[first and only rule]
access-list IDLE-T extended permit ip object Source_Network object Destination_Host
class-map Specific_Host_Traffic
match access-list IDLE-T
policy-map global_policy
class Specific_Host_Traffic
set connection timeout idle 8:00:00
Can you still share the output of the "show local X.X.X.X details" command? It can be used to confirm the values we are configuring.
03-19-2013 12:43 AM
Hi again.
Just wanted to inform that we don't have any other rules/ACLs/ACEs for global_mpc.
We haven't used it before so it's just that rule above. Nothing more.
/Gustaf
03-19-2013 12:40 AM
Hi. Thanks for the replies.
Havn't had the possibility to change the ACL yet. Will do tonight.
Here is an output from show local with the current config:
Result of the command: "show local 192.168.102.7 detail"
Interface WAN-MPLS-Links: 1962 active, 3253 maximum active, 0 denied
local host: <192.168.102.7>,
TCP flow count/limit = 13/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 1/unlimited
Conn:
TCP WAN-MPLS-Links: 192.168.102.7/63799 WAN-L2-R5-Links: 192.168.101.100/1526,
flags UIOB , idle 25m20s, uptime 25m21s, timeout 1h0m, bytes 4452
TCP WAN-MPLS-Links: 192.168.102.7/63795 WAN-L2-R5-Links: 192.168.101.100/1526,
flags UIOB , idle 3m14s, uptime 25m38s, timeout 1h0m, bytes 367567
03-19-2013 07:35 PM
One more thing,
Mind posting the output of the "show service-policy" command from the unit?
The configuration as it is should work and the output of the "show local" command should be showing 8 hrs instead of 1.
03-21-2013 11:51 PM
Hi.
Here is the output from "show service-policy":
Result of the command: "sh service-policy"
Global policy:
Service-policy: global_policy
Class-map: Oracle-DK09
Set connection policy: drop 0
Set connection timeout policy:
idle 8:00:00
DCD: disabled, retry-interval 0:00:15, max-retries 5
DCD: client-probe 0, server-probe 0, conn-expiration 0
Class-map: inspection_default
Inspect: dcerpc, packet 8557686, lock fail 0, drop 1511, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: ftp, packet 385738, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: h323 h225 _default_h323_map, packet 4, lock fail 0, drop 0, reset-drop 1, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 133
Inspect: h323 ras _default_h323_map, packet 3, lock fail 0, drop 3, reset-drop 0, v6-fail-close 0
Inspect: ip-options _default_ip_options_map, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: rsh, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: rtsp, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: sip , packet 884, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: skinny , packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: sqlnet, packet 20344251, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: sunrpc, packet 166, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: tftp, packet 1020838, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: xdmcp, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Class-map: class-default
Default Queueing Set connection policy: drop 0
Set connection decrement-ttl
/Gustaf
03-22-2013 04:19 PM
Ok, it just looks like it is not matching the class-map we created for it.
Try this:
Let's remove the policy-map and apply it again.
no service-policy global_policy global
service-policy global_policy global
Then, let's clear all the connections going to "192.168.101.100".
"Clear local 192.168.101.100"
That should do it.
03-24-2013 03:45 PM
Hi again.
Ok, I will test that. So if I run
no service-policy global_policy global
there is no risk that the configurations regarding the service-policys gets removed?
I run version 9.1.1.
Just want's to be sure.
/Gustaf
03-24-2013 03:49 PM
The configurations will remain, they will just won't be applied to the traffic while the command is off.
Won't cause any problems, it might actually fix'em.
04-01-2013 11:51 PM
Hi jocamare!
Big Thanks!
After
no service-policy global_policy global
service-policy global_policy global
Clear local 192.168.101.100
It Works!
03-18-2013 03:23 PM
Morten,
Can you do a second ACL in teh opposite way?
access-list global_mpc extended permit ip object Destination_Host object Source_Network
If possible, please also share the logs.
Regards,
Juan Lombana
Please rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide