Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
574
Views
0
Helpful
7
Replies

FWSM does not clear UDP connections properly

josephqiu
Level 1
Level 1

‎08-21-2015 02:00 PM - edited ‎03-11-2019 11:28 PM

I'm having an issue with the FWSM that is not clearing the idle UDP connections properly.  The configuration has the UDP idle timeout set for 2 minutes.  But I'm seeing the UDP connections not cleared until 30 minutes.

 

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

 

UDP outside 10.2.107.211:55004 inside 10.224.16.55:389 idle 0:26:51 Bytes 810 FLAGS - b
UDP outside 10.2.13.201:51782 inside 10.3.14.79:161 idle 0:22:30 Bytes 382 FLAGS - b
UDP outside 10.2.69.248:60113 inside 10.224.16.230:53 idle 0:13:29 Bytes 950 FLAGS - bD

 

Compared with other FWSM's on other 6509's (same model, same OS, almost same configs), only this particular one has the issue.  I don't have a policy-map to set UDP timeout for any traffic, and I don't have "inspect dns" in the global policy-map as well.

 

Maybe I'm hitting a bug?  Any suggestion would be appreciated.

Labels:
0 Helpful
7 Replies 7

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎08-30-2015 08:34 AM

Hi,

Can you post the FWSM configuration ?

I am seeing the "b" flag which means that these have State Byapss configured.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

josephqiu
Level 1
Level 1
In response to Vibhor Amrodia

‎08-30-2015 10:16 AM

Hi Vibhor

I think you have a good point there.  I totally missed the "b" flag, and I do believe we have a state bypass configured.  I will check the configuration and do some testing if possible.  Will update the post.

Appreciate your help!

Joseph

0 Helpful

josephqiu
Level 1
Level 1
In response to Vibhor Amrodia

‎08-30-2015 10:41 PM

Hi Vibhor

The FWSM configuration is attached.  tcp-state-bypass is enabled for all IP traffic.  I did a test by exclude the traffic for a testing PC (adding "deny" lines in the ACL).  But UDP traffics for the testing PC are still not cleared properly.

UDP outside 10.2.2.40:137 inside 10.224.16.232:137 idle 0:04:03 Bytes 68544 FLAGS - b
UDP outside 10.2.2.40:138 inside 10.224.16.53:138 idle 0:04:05 Bytes 26216 FLAGS - b
UDP outside 10.2.2.40:3229 inside 10.224.16.53:389 idle 0:28:12 Bytes 820 FLAGS - b
UDP outside 10.2.2.40:52113 inside 10.224.16.230:53 idle 0:06:11 Bytes 736 FLAGS - bD
UDP outside 10.2.2.40:59607 inside 10.224.16.230:53 idle 0:19:03 Bytes 620 FLAGS - bD

 

Any other thoughts?

Thanks again.

Joseph

 

Preview file
3 KB
0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to josephqiu

‎08-31-2015 11:39 AM

Hi,

From the connections outputs , I still see them being classified by the TCP state Bypass policy.

Thanks and Regards,

VIbhor Amrodia

0 Helpful

josephqiu
Level 1
Level 1
In response to Vibhor Amrodia

‎08-31-2015 12:05 PM

Yes the "b" flag is still there.  But why the TCP state bypass is affecting UDP connections?  Also, I have added the deny lines to exclude the testing traffics.  Looks like the "deny" lines are just ignored. 

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to josephqiu

‎08-31-2015 12:11 PM

Hi,

Yes , it seems to be and also did you try to clear the connections after making the changes to the Byapss ACL ?

Thanks and Regards,

Vibhor Amrodia

0 Helpful

josephqiu
Level 1
Level 1
In response to Vibhor Amrodia

‎08-31-2015 12:32 PM

Yes, I did clear all connections for that testing PC. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card