05-18-2013 11:46 AM - edited 03-11-2019 06:45 PM
I have an internal problem due to a third party that is causing TCP session resets to not reach my boarder ASA. This is causing me problems on the Internet side as these connections hang around for up to 5min which appears to be the minimum TCP timeout allowed by an ASA for an established TCP session.
This traffic is being NATed and thus my public IP is bumping into open session limits with a remote party because of this...
Until I can correctly fix the internal issue (not under my control) is there any way i can kill off these sessions faster? When working correctly these sessions only last 15-30s and there a a lot of them, so the 5min idle timeout limit is killing me.
As far as I can tell changing dead link detection and xlate timeouts will not work since they happen AFTER the TCP ideal timeout (minimum 5min).
Any IDEAS? I do have a specific set of source addresses and one specific destination IP and port involved in this issue so making an aggressive change specific to this traffic would be ideal.
05-19-2013 07:36 AM
Hi,
Well, the sessions should remain there only by the time specified by the RFC which would be 30s and the connection should go down with a message "SYN timeout".
With the show conn command you can see which connections are sitting idle.
With the show conn detail, you should see which TCP flags are held by that connection.
Would you be able to post one example of those TCP sessions that stay idle for 5 minutes?
Mike
05-19-2013 12:44 PM
Source and target IP obviscated to protect the innocent. The flags are the same for each of the connections related to this issue.
TCP Outside:1.1.1.1/443 transit-Inside:10.x.x.x/2674,
flags UFRIO, idle 4m59s, uptime 5m1s, timeout 5m0s, bytes 2009
05-19-2013 11:10 PM
Hi,
Maybe you can use this document to help with this case?
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_connlimits.html
Or had you tried this yet?
You should be able to match certain traffic and apply different timeout rules for that traffic without affecting the global settings
I quickly configured this on my home ASA and this is the ouput of the "show conn long" with one TCP connection to which the new timeout is applied
TCP WAN:y.y.y.y/443 (y.y.y.y/443) WLAN:10.0.255.20/57598 (x.x.x.x/57598), flags UIO, idle 27s, uptime 28s, timeout 1m0s, bytes 5635
You are able to set the timeout even in seconds. A simple test configuration I used to match ALL traffic (which probably isnt the case in your situation)
class-map CONNS
match any
policy-map global_policy
class inspection_default
class CONNS
set connection timeout idle 0:01:00
Hope this helps
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide