Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1051
Views
0
Helpful
5
Replies

FWSM Problem: Terminating TCP-Proxy Connection Error Message

maktala007
Level 1
Level 1

‎08-17-2011 02:12 PM - edited ‎03-11-2019 02:13 PM

Hi All,

We are receiving an error "%FWSM-5-507001: Terminating TCP-Proxy connection from interface_inside..." in our FWSM 4.0 (12).

The RTSP inspection already disabled in the firewall. But the problem still persits. I have captured and analyzed the firewall logs. Found that the server with IP 172.30.3.230 is sending 'RST' packet thus responsible for the session termination.

When we moved the server IP segment from the firewall to the switch everything working fine. This clearly shows that the problem is with FWSM.

Please help me if any one have suggestion to resolve this problem.

Thanks in advance,

Rajender

Labels:
112062-capin20110817.zip
0 Helpful
5 Replies 5

Anu M Chacko
Cisco Employee
Cisco Employee

‎08-18-2011 01:42 AM

Hi Rajender,

Could you post the output of "sh service-policy" from the FWSM here?

Regards,

Anu

0 Helpful

maktala007
Level 1
Level 1
In response to Anu M Chacko

‎08-18-2011 08:20 AM

Hi Anu,

Please find below the output of 'show service-policy":

Global policy:

  Service-policy: CSM_POLICY_MAP_global_2

    Class-map: inspection_default

      Inspect: dns maximum-length 1260, packet 539490201, drop 0, reset-drop 0

      Inspect: ftp, packet 878867, drop 0, reset-drop 0

      Inspect: h323 h225, packet 0, drop 0, reset-drop 0

      Inspect: h323 ras, packet 3, drop 3, reset-drop 0

      Inspect: netbios, packet 29999331, drop 0, reset-drop 0

      Inspect: rsh, packet 0, drop 0, reset-drop 0

      Inspect: skinny, packet 133, drop 0, reset-drop 0

      Inspect: sqlnet, packet 231, drop 0, reset-drop 0

      Inspect: sunrpc, packet 786816, drop 0, reset-drop 0

      Inspect: tftp, packet 8985750, drop 0, reset-drop 0

      Inspect: xdmcp, packet 43, drop 0, reset-drop 0

    Class-map: CSM_CLASS_MAP_sip_1

      Inspect: sip, packet 0, drop 0, reset-drop 0 Global policy:

Regards,

Rajender

0 Helpful

Anu M Chacko
Cisco Employee
Cisco Employee
In response to maktala007

‎08-18-2011 11:32 AM

Hi Rajender,

The captures show all traffic detined to port 2000, which is skinny. Could you disable inspection of skinny and test?

Let me know.

Regards,

Anu

0 Helpful

maktala007
Level 1
Level 1
In response to Anu M Chacko

‎08-19-2011 03:46 AM

Hi Anu,

In fact I have already done that (disabling 'skinny' inspection for testing purpose). The actual captured logs were taken when the 'skinny' was disabled. Disabling 'skinny inspection'  not worked, then we decided to move the IP segment from the firewall to L3 switch and re enabled the 'skinny inspection'.

Regards,Rajender

0 Helpful

Anu M Chacko
Cisco Employee
Cisco Employee
In response to maktala007

‎08-19-2011 04:43 AM

Hi Rajender,

I see. In the captures, i also see that there are out of order packets. Do you have "sysopt np-completion unit" enabled on the FWSM? This will ensure that the FWSM does not re-order the packets that are received.

Let me know.

Regards,

Anu

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card