Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2786
Views
0
Helpful
2
Replies

Force a Connection Reset

eddie.harmoush
Level 1
Level 1

‎07-16-2013 08:41 AM - edited ‎03-11-2019 07:12 PM

Is there a way to force a Cisco ASA to close a connection by sending a TCP Reset packet in both directions?  I know of clear conn and clear local-host, but the testing I've done show those commands just purge the connection from the connection table, but both the client and the server receive no indication of a connection being closed.

I'm working with an archaic server that sustains long connections, but if a client closes the application without properly logging out, the connection remains open on the server, but "locked".  In those times, I have to log in and reset the connection from the server side, but it would be much, MUCH easier for me to simply reset the connection from the Firewall in front.

Any help is appreciated.  Thanks.

-Eddie

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎07-16-2013 09:26 AM

Hi,

To my understanding the only situations where the ASA actually sends a TCP Reset to a connection is when traffic headed to the device or through it is blocked by some configurations. The default behaviour is to my understanding that the only thing to which ASA sends a TCP Reset is a TCP connection coming from a higher "security-level" interface towards lower one (Outbound connection) IF that connect is denied on the basis of some rule.

For connection other than "Outbound" the operation of sending a TCP Reset has to be manually changed in the configuration.

Also the Modular Policy Framework (if I remember that term correctly) is also a way where you can reset some connections.

But neither of the above situations really matches to what you are attempting which is to make the ASA actually send a TCP Reset rather than just removing the connection from its own connection table.

I am not that familiar with the IT side but I wonder if configuring somekind of TCP Keepalive on the server (or modifying existing) could solve the problem and help the server detect the connection that is no longer valid?

- Jouni

0 Helpful

eddie.harmoush
Level 1
Level 1
In response to Jouni Forss

‎07-16-2013 09:46 AM

The "server" in this case is a Perle console server.  I have very limited access to the OS to modify TCP attributes like keepalives, etc.  Good suggestion, but I don't think that will work for me.

Definitely looking for a way to administratively send resets to either side of the connection (or at the very least the Server side -- higher security level).  I guess I could create an MPF that resets idle TCP connections after 5 minutes or something.  Maybe I'll go that route as a stop gap.

But I'll leave this thread open for a while to see if someone comes up with a command or method to do it.    Thanks for the help thus far, Jouni.

-Eddie

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card