08-21-2015 02:00 PM - edited 03-11-2019 11:28 PM
I'm having an issue with the FWSM that is not clearing the idle UDP connections properly. The configuration has the UDP idle timeout set for 2 minutes. But I'm seeing the UDP connections not cleared until 30 minutes.
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
UDP outside 10.2.107.211:55004 inside 10.224.16.55:389 idle 0:26:51 Bytes 810 FLAGS - b
UDP outside 10.2.13.201:51782 inside 10.3.14.79:161 idle 0:22:30 Bytes 382 FLAGS - b
UDP outside 10.2.69.248:60113 inside 10.224.16.230:53 idle 0:13:29 Bytes 950 FLAGS - bD
Compared with other FWSM's on other 6509's (same model, same OS, almost same configs), only this particular one has the issue. I don't have a policy-map to set UDP timeout for any traffic, and I don't have "inspect dns" in the global policy-map as well.
Maybe I'm hitting a bug? Any suggestion would be appreciated.
08-30-2015 08:34 AM
Hi,
Can you post the FWSM configuration ?
I am seeing the "b" flag which means that these have State Byapss configured.
Thanks and Regards,
Vibhor Amrodia
08-30-2015 10:16 AM
Hi Vibhor
I think you have a good point there. I totally missed the "b" flag, and I do believe we have a state bypass configured. I will check the configuration and do some testing if possible. Will update the post.
Appreciate your help!
Joseph
08-30-2015 10:41 PM
Hi Vibhor
The FWSM configuration is attached. tcp-state-bypass is enabled for all IP traffic. I did a test by exclude the traffic for a testing PC (adding "deny" lines in the ACL). But UDP traffics for the testing PC are still not cleared properly.
UDP outside 10.2.2.40:137 inside 10.224.16.232:137 idle 0:04:03 Bytes 68544 FLAGS - b
UDP outside 10.2.2.40:138 inside 10.224.16.53:138 idle 0:04:05 Bytes 26216 FLAGS - b
UDP outside 10.2.2.40:3229 inside 10.224.16.53:389 idle 0:28:12 Bytes 820 FLAGS - b
UDP outside 10.2.2.40:52113 inside 10.224.16.230:53 idle 0:06:11 Bytes 736 FLAGS - bD
UDP outside 10.2.2.40:59607 inside 10.224.16.230:53 idle 0:19:03 Bytes 620 FLAGS - bD
Any other thoughts?
Thanks again.
Joseph
08-31-2015 11:39 AM
Hi,
From the connections outputs , I still see them being classified by the TCP state Bypass policy.
Thanks and Regards,
VIbhor Amrodia
08-31-2015 12:05 PM
Yes the "b" flag is still there. But why the TCP state bypass is affecting UDP connections? Also, I have added the deny lines to exclude the testing traffics. Looks like the "deny" lines are just ignored.
08-31-2015 12:11 PM
Hi,
Yes , it seems to be and also did you try to clear the connections after making the changes to the Byapss ACL ?
Thanks and Regards,
Vibhor Amrodia
08-31-2015 12:32 PM
Yes, I did clear all connections for that testing PC.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide