My company has a DCS network that was previously segregated with a layer 3 switch and a handful of access lists. However, there came this big push to segregate all DCS networks with Firewalls, so I purchased a 5505 and duplicated my simple access lists on the firewall and everything worked. There is no NAT, just explicitly permitted traffic out and explicitly permitted traffic in. However, there are some applications that connect and work fine for a few hours, then disconnect and the user must exit out of the application and go back into it, then it starts working again. Previously with the Layer 3 Switch/access lists, this never happened. Since I put the firewall in place, it has happened 3 to 4 times a day every day for the last week.
First you could check the ASA syslog messages to see what reason it gives for terminating the connections. Or perhaps you have already done this on the basis of the topic?
You could check the output of command "show run timeout"
If they are on default values I guess you can consider increasing the "timeout" values for "xlate" and "conn"
Perhaps something like
timeout xlate 4:00:00
timeout conn 4:00:00
Or even more if you want.
Wether these global timeout configurations have negative efffect on the firewall performance depends on the number of hosts behind the firewall and the amount of connections they generate through the firewall.
Deny TCP (Source PC ip address) --> (Destination ip address)/5450
Which there is an explicit allow rule specifying - TCP source subnet to destination ip address on tcp port 5450
If the user exits the program and re-opens it, i can see the exact same source IP address - destination ip address/5450 allow in the syslog.
There are less than 20 hosts behind the firewall and roughly 20 hosts outside the firewall accessing resources. I have increated the timeout settings, I will try it for 24 hours and see what they say tomorrow.
Does the Syslog message say anything about TCP Flags?
If you have a rule that allows the connections and furthermore if the TCP connections has formed at some point then a Deny TCP messge which mentions flags usually refers to a situation where the ASA has already teardown a TCP connection and some host is still sending data related to that TCP connection that doesnt exist on the ASA anymore and therefore gets blocked.
It is because L3 switch/access is NOT stateful (i.e. it does not keep track of the connection in the table whereas the firewall does).
- Work around: enable tcp keep-alive between the client and application server. That will "fool" the firewall into refreshing the conneciton with a new timer. For example, let say the connection timeout is set to 60 minutes. If you configuration the application to send keep alive every 10 minutes, that means every 10 minutes, that connection table in the ASA firewall will be refreshed to 60 minutes until the connection is gracefully closed.
This keepalive is very common when you have database connection across the firewall that runs a simple query but it might take up to 90 minutes to complete but the connection table is set to expire at 60 minutes. By using keepalive, it ensures that the connection will not be terminated pre-maturely