Solved: Configure 'SYN timeout' value

a.brazendale · ‎06-15-2014

Good Evening,

I have an ASA running 8.6(2) and we started seeing an issue with one website last week where users reported that it was operating 'slowly' and sometimes they wouldn't get a connection at all [Page cannot be displayed]. Looking at our firewall and doing some captures has me stumped, or at least has led me to the conclusion that I've done all the troubleshooting I can on the firewall, with captures and so on (although my next step is to check out the asp-drop capture and search for the IP).

here are my findings:

1. I set up inside and outside capture. Inside was from internal IP to 'any', outside capture was 'external NAT address' <-> any. While testing, I see 3 attempts to sent the initial request to 198.199.134.183:443 from our inside address and the 3 attempted leaving our outside interface NAT->198.199.134.183:443, and nothing back. After 3rd attempted on capture, they get the 404 on browser end.

2. filtering ASDM logging for 198.199.134.183 while running this, I get the various 'building connection' messages for when the site works, and I see two-way data on the capture and the ASDM eventually reports a 'TCP Reset-I' to kill the flow when done - all is good. When I get the 404 though, the log reports 'Teardown ...<details>..... SYN Timeout'.

I think that the issue is that either the remote end is not sending a SYN-ACK to my request, either at all, or in time. Or something on the internet or remote network is dropping my packets or dropping the replies.

Does this sound right? Anything else to check? This happens on static NAT and when using PAT.. is there a way to increase the 30 second limit for when the ASA gives up and then tears down the connection reporting 'SYN Timeout'? it would be good to increase this to 60 seconds to see if it's just a delay or something??

thanks,

Al

Marius Gunnerud · ‎06-16-2014

You can do this by increasing the allowed time for embryonic connections. This is done in the policy-map. So you could do something like the following:

hostname(config)# class-map CONNS
hostname(config-cmap)# match any
hostname(config-cmap)# policy-map CONNS
hostname(config-pmap)# class CONNS
hostname(config-pmap-c)# set connection conn-max 1000 embryonic-conn-max 3000
hostname(config-pmap-c)# set connection timeout embryonic 0:1:0
hostname(config-pmap-c)# service-policy CONNS interface outside

This will increase the timeout of the half opened connections to 1 minute.

Optionally you could do this in the class class-default.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎06-16-2014

You can do this by increasing the allowed time for embryonic connections. This is done in the policy-map. So you could do something like the following:

hostname(config)# class-map CONNS
hostname(config-cmap)# match any
hostname(config-cmap)# policy-map CONNS
hostname(config-pmap)# class CONNS
hostname(config-pmap-c)# set connection conn-max 1000 embryonic-conn-max 3000
hostname(config-pmap-c)# set connection timeout embryonic 0:1:0
hostname(config-pmap-c)# service-policy CONNS interface outside

This will increase the timeout of the half opened connections to 1 minute.

Optionally you could do this in the class class-default.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

a.brazendale · ‎06-16-2014

Thanks. I saw a Cisco article while I was browsing and set this on the default/class-default. I see it now waits 1 minute before timing the connection out.

We still see several failures when trying to connect to the website, apart from the steps I have tried above (and i've now check my asp-drop capture and the IP is not in there when we're trying to make a connection).. any other thoughts?

Marius Gunnerud · ‎06-17-2014

My guess would be that the issue is at the server side and not on your ASA. Any chance you can contact the remote server support and have them check their end?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

a.brazendale · ‎06-17-2014

Yeah we're already talking with them and trying to make inroads with the website hosts.

Thanks for the responses.