Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4330
Views
0
Helpful
4
Replies

Cisco ASA TCP RESET

Go to solution
SubnetWarrior
Level 1
Level 1

‎05-02-2021 10:57 PM

Hello Experts!

So i have a problem that the server has tcp reset flag. My customer want to know is there any way that the cisco ASA reset the tcp connection? 

In my understanding that the asa will reset the connection when the tcp session is idle for 1 hour (am i correct?). Is there any possibility that asa reset the tcp connection? 

Fyi tcp port, and ip source/dest is legit and allowed in asa rules.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Chakshu Piplani
Cisco Employee
Cisco Employee

‎05-02-2021 11:26 PM

You are correct, default tcp idle timeout is :

sh run | inc timeout
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

The best way to t-shoot this will be to take pcap on the incoming and outgoing traffic interface to prove if the reset is sent by ASA or from the backend.

 

Regards,

Chakshu

 

Hope this helps!

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Chakshu Piplani
Cisco Employee
Cisco Employee

‎05-02-2021 11:26 PM

You are correct, default tcp idle timeout is :

sh run | inc timeout
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

The best way to t-shoot this will be to take pcap on the incoming and outgoing traffic interface to prove if the reset is sent by ASA or from the backend.

 

Regards,

Chakshu

 

Hope this helps!

0 Helpful

Go to solution
SubnetWarrior
Level 1
Level 1
In response to Chakshu Piplani

‎05-02-2021 11:34 PM

Hello sir thx for the enlighment, 

Unfortunetaly that the pcap just on one server, and there is none on the far-end server.

So what happend when the tcp session is more than 1 hour on asa? Does asa send tcp reset flag to both server?

0 Helpful

Go to solution
Chakshu Piplani
Cisco Employee
Cisco Employee
In response to SubnetWarrior

‎05-02-2021 11:52 PM

That's the timeout value for connection that asa maintains, read more here:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall/asa-firewall-cli/conns-connlimits.html

 

I was asking to take pcap on the incoming and outgoing interface of ASA and not the servers, read more here:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html

 

Regards,

Chakshu

 

Hope this helps!

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to SubnetWarrior

‎05-02-2021 11:56 PM

When the one side TCP reset send, the session closed and the TCP needs to re-established again.

here are default TCP Reset timers :

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/conns-connlimits.html

 

I have seen some application required TCP session always open, if not application required to restart manually to establish a connection,

in that case, you need to configured TCP state  bypass as below :

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118995-configure-asa-00.html

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card