Solved: Firewall connections via wrong interface

Daniel Smith · ‎01-09-2021

Our firewalls utilize dynamic routing to route to the target destinations. Quite often, when a route goes away, a connection will build between an interface and corporate interface, which is where the default route points. The connection really does not work, since the resource is on a different interface. These connections remain built even when the route comes back from the correct interface, and the session continues to not work until we manually clear it. Is there a solution for this issue?

MHM Cisco World · ‎01-09-2021

use this command if the interface change then the NAT will update according to new interface

timeout floating-conn x:x:x

View solution in original post

balaji.bandi · ‎01-09-2021

can you show an example: is this NAT connection clear? that is the nature of the process, you need to make an EEM script to clear NAT if NAT involved.

if the IGP then once new route available with best cost and path, then FW should send traffic to new best path technically.

but we would like to see the config and example output of the routing table to suggest anything we can.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎01-09-2021

use this command if the interface change then the NAT will update according to new interface

timeout floating-conn x:x:x

Mohammed al Baqari · ‎01-09-2021

+5 @MHM Cisco World.

@Daniel Smith this document explains how it works.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113592-udp-traffic-fails-00.html

***** please remember to rate useful posts

Daniel Smith · ‎01-10-2021

Thanks very much, I had read about that command before but forgotten it!