cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4550
Views
0
Helpful
11
Replies

FWSM idle connection timeout issues

Siju S
Level 1
Level 1

The service policy appied to set the idle connection timeout does not apply for a particular traffic destined for SQL net connections . However any other TCP ports are identified . Does that mean that Sql Net connections idle timeout can be altered only by the global option

Refer to :

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/protct_f.html


Note This command does not affect  secondary connections created by an inspection engine. For example, you  cannot change the connection settings for secondary flows like SQL*Net,  FTP data flows, and so on using the set connection  timeout command. For these connections, use the global timeout conn command to change the idle time. Note  that the timeout conn command affects all traffic flows unless you otherwise use the set connection timeout command for eligible traffic.

Can somebody explain what does this refer to ?

1 Accepted Solution

Accepted Solutions

Hello kausar,

It is a valid option but you will need to do something like this:

Access-list Conn_rule deny tcp any any eq 150

Access-list Conn_rule permit tcp any any

class-map test

match access-list Conn_rule

Policy-map Global_policy

class test

set connection timeout tcp xx:00

Then create the global timeout for the SQL*Net traffic

timeout conn xx:xx

I would not recommend to use the 0 0 but we can give it a try and see if that solves your problem.

Please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

11 Replies 11

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Kausar,

That is correct (this will affect only protocols that use secondary flow channels) for secondary flows just like the ones used by FTP Data flows or  SQL*Net got to be limited with the timeout conn , so if you you try to restrict it with the set connection timeout this with not affect that traffic.

The thing is that as soon as you apply the timeout conn this will affect all the traffic traversing the ASA so you got to be careful on this.

Hope this helps, if not let me know and I would try to get more info for you

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks for your speedy reply , it sounds true . Ive got to be careful enough to set the timout to unlimited for all flows but i dont have another way infact.coz the real issue seems that all my applications are oracle/sqlnet connections looses connection after the default set 60 min period.

However could you tell me what would be the impact if the conn count shows a lot of idle sessions ..ie if the global is set to never timeout

at present it shoes :

7649 in use, 37873 most used

Hello Kausar,

Sure, the resut will affect the performance of the ASAl, I mean remember that each ASA plataform has a limit of connection that the device can handle by minute. So if it gets oversubscrided you will start seeing packets drops, latency issues, high cpu, etc, etc.

Now, if the global is set to never time out that will means that the connections will never expire so the ASA will have them always on its connection table with will cause some issues.

I had worked with a customer and what he had or his issue was that sometimes the ASA will start dropping some of its tcp connections, and this happened randomly. Once I got access to the ASA first time I check was the global time-out, nothing there.

Then I went to the MPF configuration and there was the issue tcp timeout 0 0 witch cause the ASA to keep all the connections  on the ASA, they will never time out.

Please rate helpful posts,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Appreciate your references, what could be the best bet yet , because i cannot single out the Sql*net traffic and set the timeout to never. The reason beiong i cannot change the session behavior of the applications.

Do you think I should set the global to 'never' and create a broader service policy rule to set the default timeout(1hr) for an identified chunk of traffic from a known direction (eg ; from outside to all protected zones )

Hello kausar,

It is a valid option but you will need to do something like this:

Access-list Conn_rule deny tcp any any eq 150

Access-list Conn_rule permit tcp any any

class-map test

match access-list Conn_rule

Policy-map Global_policy

class test

set connection timeout tcp xx:00

Then create the global timeout for the SQL*Net traffic

timeout conn xx:xx

I would not recommend to use the 0 0 but we can give it a try and see if that solves your problem.

Please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Yeah will try that , need to change the

Global_policy which presently is set to Class-map: inspection_default

Global policy:

  Service-policy: global_policy

    Class-map: inspection_default

      Inspect: dns maximum-length 512, packet 12057789, drop 404, reset-drop 0

      Inspect: ftp, packet 268865, drop 0, reset-drop 0

      Inspect: h323 h225, packet 96244, drop 0, reset-drop 0

      Inspect: h323 ras, packet 388, drop 388, reset-drop 0

      Inspect: netbios, packet 13248279, drop 0, reset-drop 0

      Inspect: rsh, packet 0, drop 0, reset-drop 0

      Inspect: skinny, packet 93279084, drop 0, reset-drop 0

      Inspect: sunrpc, packet 0, drop 0, reset-drop 0

      Inspect: tftp, packet 12369199, drop 0, reset-drop 0

      Inspect: sip, packet 0, drop 0, reset-drop 0

      Inspect: xdmcp, packet 0, drop 0, reset-drop 0

Hello Kausar,

Let me know as soon as you get the result.

Have a great day,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

That seems to be it the database connectivity seems to be matching the global policy now , well I did not make it unlimited for the global_policy however limited it to 6hours.

I would like to know whether you have a standarad list of connections categorised as secondary flows

Thanks a lot for your help .you have a great day

Hello Kausar,

Great to hear that now that you have changed is working as you want it.

I will do some research and will keep you posted.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

 

I'm having this same issue with Oracle connection. The error code is ORA-12571 TNS Write Failure. When I connect for the first time it times out. When I reconnect to Oracle about three times then the connection is established. I have asked by our DB admin to check the firewall configurations for session timeouts for Oracle listen port 1526 which seems to be timing out. Any help will be appreciated. Thanks in advance.

Review Cisco Networking for a $25 gift card