Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3463
Views
0
Helpful
12
Replies

ASA5505 and tcp connections drops.?

j-tagesson
Level 1
Level 1

‎06-10-2010 07:19 AM - edited ‎03-11-2019 10:57 AM

Hi there. I have a strange issue.

I have a ASA 5505 with some clients behind it who connects to an offsite database.

They run the application all day, but for longer periods of times, ie 1-2 hours they are idle in the application.

When they start using the application again they get messaages that they have been disconnected from the databse or they get an unresponsive

applications for like 5-10 minutes beforeit starts to function again.

To solve this I thought I increase the tcp timeout so I did, for the client server traffic. Now it's set to 4 hrs.

BUT I still get the error.??

Has anyone got a clue what could cause this ?

Regards Joel

Labels:
0 Helpful
12 Replies 12

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎06-10-2010 07:22 AM

Hi,

Isn't the application itself where the're getting disconnected at?

I don't think they are being disconnected by the ASA if you increased the TCP timeout.

Do you know if the PING works all the time (even when they are disconnected)?

I just want to know if the issue is that the connection is being torn down by the ASA or that the application itself disconnects the users after an idle period.


Federico.

0 Helpful

j-tagesson
Level 1
Level 1
In response to Federico Coto Fajardo

‎06-10-2010 07:37 AM

Good thinking.

I was thinking that my new 4 hrs tcp timeout sh conn would work as proof that It's not the ASA firewall.

Meanwhile the server guys put a client outside the firewall...

And that client haven't had the disconnect issue..

So I guess the problem came right back at us. :-)


Ping works all the time btw.

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to j-tagesson

‎06-10-2010 07:43 AM

mmm...

If the ASA is causing the problem, then it should show in the logs.

Can you post the logs?

Federico.

0 Helpful

j-tagesson
Level 1
Level 1
In response to Federico Coto Fajardo

‎06-10-2010 07:56 AM

Here's where it's getting tricky.. I can't seem to find anything in the logs. I have set up a syslog server but either I have set up the logging wrong or

it doesn't show any error..

For instance, I get  local1.warning and local1.notice but I can't find any errors regarding this communication

Here's my logging: (attatched file)

Am I doing something wrong ?

Also, I have logging informational on the rule with the traffic from client to server.

Preview file
15 KB
0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to j-tagesson

‎06-10-2010 08:29 AM

You're not getting any logs on the syslog server?

Can you change it to level debugging?

Federico.

0 Helpful

j-tagesson
Level 1
Level 1
In response to Federico Coto Fajardo

‎06-11-2010 12:12 AM

Sorry. I'm getting logs to syslog , jut not anything interesting with the ipadresses that I've specified.

I can change it to debugging and se if anything happends..

0 Helpful

j-tagesson
Level 1
Level 1
In response to j-tagesson

‎06-11-2010 12:45 AM

I found out that I had to enable 106100 messages which by default didn't get logged to syslog.. Now I'm getting my traffic sent to the syslog server.

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to j-tagesson

‎06-11-2010 09:13 AM

Great!

Can you see if you're getting logs related to this connection?

Federico.

0 Helpful

rcordeiro
Level 1
Level 1

‎07-08-2010 02:56 AM

Hi,

Did you solve this? I'm having the same problem.

Regards

0 Helpful

Michichael
Level 1
Level 1
In response to rcordeiro

‎07-29-2010 04:53 PM

Same problem on my end. Only thing I can see is when the connection drops, I get this logged:

6    Jul 29 2010    16:47:56    302014    99.100.154.220    3389    10.20.12.214    9261    Teardown TCP connection 49927 for outside:99.100.154.220/3389 to inside:10.20.12.214/9261 duration 0:13:39 bytes 3083949 TCP Reset-I

that's the only indicator I have of anything going wrong on this, and that's when it drops.

My configuration is all but virgin - no funky ACL's - just base implied allows

0 Helpful

rcordeiro
Level 1
Level 1
In response to Michichael

‎07-30-2010 02:17 AM

Hi,

My problem was with connections to a database, if the connections reached the idle limit the firewall closes the connection and next time someone did something on the appliacation.

I solved this creating a "Service Application Rule" with a ACL to the interesting traffic and defining 5 hours for the connection timeout (if someone leave the application idle for more than 5 hour it could easily restart it).

Regards,

Rui Cordeiro

0 Helpful

Michichael
Level 1
Level 1
In response to rcordeiro

‎07-30-2010 08:54 AM 

rcordeiro wrote:
Hi,
My problem was with connections to a database, if the connections reached the idle limit the firewall closes the connection and next time someone did something on the appliacation.
I solved this creating a "Service Application Rule" with a ACL to the interesting traffic and defining 5 hours for the connection timeout (if someone leave the application idle for more than 5 hour it could easily restart it).
Regards,
Rui Cordeiro

Thanks for the info Rui, unfortunately, I don't think this is the case here. I'll have to keep looking.

This problem happens randomly - download a youtube video and it will just stop at a random point and you have to refresh the page. Do so and it might work, or might stop at a different point.

Remote desktop to my home server, same thing.

The connections die with a RESET-I logged, but I don't see any reason for the reset.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card