this is not relevant to my case. I have allowing rule which applies within specific time-frame. there is no other redundant rule in place. if this time-based rule is not active (out of time-frame), then explicit deny any rule at the end of rulebase matches.

but again, connection established during allowed time-frame keeps being active even when this time-frame is over. firewall did not drop this connection. the only way to drop it is to restart application on client PC or reboot of client PC itself which I wanted to avoid...

Ok, are this trffic is udp?

it is TCP-based connection

how does your rule base looks like

try using :

absolute [start time date] [end time date]

I cannot use absolute statement as the timeframe is reoccuring - all weekends. it will be impossible to define that with "absolute" keyword.

access-list inside_access_in line 32 extended permit ip object host_x_y_z_w object-group internet log informational interval 300 time-range weekends (hitcnt=26) (inactive) 0xddacbc68
  access-list inside_access_in line 32 extended permit ip host x.y.z.w(2147549209) v4-object-group internet(2147483678) log informational interval 300 time-range weekends (hitcnt=26) (inactive) 0xa365d8cc

as I can see the firewall is properly enumerating fact, that it is not weekend now, which resulted that rule state is "inactive".

but I assume that because of firewall stateful-behaviour, only the TCP 3WHS is processed by CPU/rulebase and once it is considered as allowed connection, then it is stored in connstate database and traffic is no longer passing rulebase/CPU. therefore there is no way to drop/deny connection. I am wondering if this can be somehow overriden, or maybe it is a bug?

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113051-asa83x-mpf-config-00.pdf

after first packet permit by ACL the conn table build entry and this entry is default timeout.
the packet after that will not hit the ACL it bypass it since it found in conn table.
so we will do reduce the conn timeout and force the ASA remove the entry and hit the ACL "which is timed-based" and hence the connection is end.

please use the ACL to only include this TCP traffic.

thank you, this sounds promising, but it relies on connection stream to be idle at least for certain (defined timeout) period of time. please consider the client is CCTV camera with continuous video stream.

yes, I have tested this just now and set the timeout to single (one) second hitting that particular connection outside of weekends (i.e. negate of my time-based rule). but connection haven't been dropped at all. I simply need to force TCP reset of that connection no matter about timeout...

Can i see config for both 

Timed acl 

And tcp conn timeout 

class-map drop-cctv-oobh
 match access-list global_mpc_1

policy-map global_policy
 class inspection_default
  inspect xyz
 class drop-cctv-oobh
  set connection timeout idle 0:00:01 reset

time-range weekdays
 periodic weekdays 0:00 to 23:59

time-range weekends
 periodic weekend 0:00 to 23:59
 
access-list inside_in extended permit ip object host_x_y_z_w object-group internet log time-range weekends

access-list global_mpc_1 extended permit ip object host_x_y_z_w object-group internet time-range weekdays

why you config the timed-based ACL for MPF ?

config extend ACL not timed-based since NOW is weekdays not weekends and timed acl not hit.

I have no idea what you mean with MRF.

maybe this is misunderstanding. consider it this way:

• my inside_in ACE is not working now because of "weekends" time statement
• therefore I have allowed my TCP video connection with temporary (for purpose of this activation) ACE which I've closed once the connection was established to simulate "weekends" timeframe
• TCP connection is opened (I see the hit in log viewer, I see video)
• test ACE is disabled (i.e. no real ACE in place which will permit this TCP connection now)
• then I would expect global_mpc_1 ACL will match my connection as it is within "weekdays" (now)
• and in case the connection is hitting >1s idle timeout, then it will be forcibly closed by sending TCP RST

but again, TCP connection is open all the time because it will never hit the >1s idle timeout condition as because it is continuous video stream.

Now I full understand Issue, 
TCP continous video stream never be idle and hence even MPF can not use.
the only think remain in my mind is xlate timeout for only this traffic but this method not sure 100% it will work as we want.
let me check this solution if I get something I will send to you.