Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6530
Views
5
Helpful
4
Replies

FWSM sysopt connection timewait ?

Go to solution
patoberli
VIP Alumni
VIP Alumni

‎10-11-2010 02:16 AM - edited ‎03-11-2019 11:52 AM

Hi

Is the command 'sysopt connection timewait' available on the FWSM 3.2? There is something written in the manual: [quote]

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, 3.2 -- Whole Book PDF" available on the page you sent me to and go to page 6-86 we see the following.

Command

sysopt connection timewait

Description

Forces each TCP connection to linger in a shortened TIME_WAIT state after the final normal TCP close-down sequence

[/quote]

But on the other hand it's not listed as an available command in the list of commands...

So is it available? What are the options for configuring it? What is the impact for the network?

Our backupsoftware supplier asked us to lower it to 30 seconds or less.

thanks

pato

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎10-11-2010 02:33 AM

The command "sysopt connection timewait" is a global command that is no longer available on version 3.2.

You can configure the same feature with MPF with configuring specific traffic that you would like to lower the TCP timewait on.

Here is the command reference:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/command/reference/s1.html#wp2699979

Hope that helps.

View solution in original post

4 Replies 4

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎10-11-2010 02:33 AM

The command "sysopt connection timewait" is a global command that is no longer available on version 3.2.

You can configure the same feature with MPF with configuring specific traffic that you would like to lower the TCP timewait on.

Here is the command reference:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/command/reference/s1.html#wp2699979

Hope that helps.

Go to solution
patoberli
VIP Alumni
VIP Alumni
In response to Jennifer Halim

‎10-11-2010 03:57 AM

Thanks for your answer. In that case we can't change it to a time that the manufactor would like to have (around 5-10

seconds).

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to patoberli

‎10-11-2010 04:08 AM

On FWSM architecture, the connection is actually removed as soon as they are closed, hence the "sysopt connection timewait" actually serves no purpose, hence it is no longer available in the later version.

What is your software vendor actually trying to achieve? Do they want to close down the connection around 5-10 seconds after the TCP session is idle? If that is what they are trying to achieve, then you can implement it using the "set connection timeout" command advised earlier.

0 Helpful

Go to solution
patoberli
VIP Alumni
VIP Alumni
In response to Jennifer Halim

‎10-11-2010 04:17 AM

The issue is that the software tries to re-use the same port for a new connection. The firewall will block that with:

%FWSM-6-106028: Deny TCP (Connection marked for Deletion) from x.x.x.x/xx to x.x.x.x/xx flags SYN  on interface inside

And this itself is caused because of the time_wait period which seems to be set to 240 seconds. What I would need is to lower that one to 10-30 seconds.

The set connection timeout tcp or idle has a minimum of 5 minutes as per your attached link.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card