02-26-2014 06:06 AM - edited 03-11-2019 08:50 PM
Dear all,
Accidentaly I have discovered, that idle timeout on ASA not always works as I expected.
Can somebody explain me, why I can see something like this (addresses changed, but time info remained)?
UDP outside:192.168.1.1/43501 inside:192.168.0.102/16327,
flags -, idle 8D14h, uptime 257D3h, timeout 2m0s, bytes 19
I always thought, that after idle timer reaches timeout, then connections is cleared.
I can find this behaviour on 8.4.3 and 8.4.6 (other realeases not tested).
Do you have any command to list such connections? I mean where idle is greater than something (i.e.
sh local-host connection udp 500 - lists all hosts with more than 500 UDP connections).
Thank you very much.
Pavel
02-26-2014 06:41 AM
Hi,
We have an ASA running 8.4(6) that I just noticed had a few connections that have been idle for 16 days straight. This seems to be only for the UDP Connections that I have seen so far in the firewall that I am looking at
Here partial output from one connection
flags -, idle 13D7h, uptime 13D7h, timeout 2m0s, bytes 19
So pretty much same as yours.
I would have to say that this is some bug.
I could not find any matching bug yet but there has been a couple of discussion where the situation has been the same but there has been no updates on those discussion.
I am not really sure if the ASA has any options to look for connections based on their idle/uptime timers.
I guess you would have to resort to somekind of combination of "show" command and the user of regex.
- Jouni
02-27-2014 12:32 AM
Hi,
I think it's bug also.
I also do sometning like this : sh conn all | ex idle [0]:
BUT, when I find such a connection a have to delete it manualy one by one, which is annoying. I was wondering if someone knows ie undocumented command for such a purpose (delete all connection idle then).
Anyway thank for response.
Pavel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide