08-11-2009 03:14 AM - edited 03-11-2019 09:04 AM
Hi All!
We have a strange problem regarding FWSM TCP connection timeout configuration using MPF: although the "reset" keyword has been set in policy-map, FWSM does not send any TCP-reset packet to the endpoints (monitored using WireShark).
We are using FWSM Firewall Version 4.0(3) and Device Manager Version 6.1(5)F
Please see the related configuration below:
Traffic originating from outside interface (source IP: 172.16.129.221) destined to an inside host (destination IP: 172.24.250.100) to TCP/22 or TCP/23.
!
access-list CONNS_TIMEOUT_TEST_ACL line 1 extended permit tcp host 172.16.129.221 host 172.24.250.100 eq ssh log disable
access-list CONNS_TIMEOUT_TEST_ACL line 1 extended permit tcp host 172.16.129.221 host 172.24.250.100 eq telnet log disable
!
!
service reset no-connection
!
class-map CONNS_TIMEOUT_TEST_CMAP
match access-list CONNS_TIMEOUT_TEST_ACL
!
policy-map CONNS_TIMEOUT_TEST_PMAP
class CONNS_TIMEOUT_TEST_CMAP
set connection timeout tcp 0:05:00 reset
!
icmp permit TESTNET_172.24.250.0 255.255.255.0 TESTNET_172.24.250.0/24
access-list TESTNET_172.24.250.0/24_access_in extended permit ip TESTNET_172.24.250.0 255.255.255.0 any log disable
!
object-group service TEST_OBJECT_GR tcp
port-object eq ssh
port-object eq telnet
access-list outside_access_in extended permit tcp host 172.16.129.221 host 172.24.250.100 object-group TEST_OBJECT_GR log disable
!
!
service-policy CONNS_TIMEOUT_TEST_PMAP interface outside
!
We are planning to upgrade the latest FWSM v4 software verion, because it seem to be a bug. Could anybody help me to solve this problem?
Any feedback would be appreciated! Thanks in advance! Belabacsi
08-17-2009 12:29 AM
News: We have updated to the latest FWSM software version: v4.0(6) but the problem still exists.
I have tested the configuration using ASA software version v8.2.1 (above configuration + TCP state bypass global map) and sending TCP reset is OK with ASA!
Any idea? Maybe FWSM bug?
Any feedback would be appreciated! Thanks in advance! Belabacsi
08-17-2009 11:30 AM
The URL below provides a sample configuration for PIX 7.1(1) and later of a timeout that is specific to a particular application such as SSH/Telnet/HTTP, as opposed to one that applies to all applications. This configuration example uses the new Modular Policy Framework introduced in PIX 7.0. This feature is not applicable in an IPsec VPN environment.
In this sample configuration, the PIX Firewall is configured to allow the workstation (10.77.241.129) to Telnet/SSH/HTTP to the remote server (10.1.1.1) behind the router. A separate connection timeout to Telnet/SSH/HTTP traffic is also configured. All other TCP traffic continues to have the normal connection timeout value associated with timeout conn 1:00:00.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080624e19.shtml
10-19-2010 07:43 AM
Hi,
I'm looking at this issue, once the TAC case has been resolved I'll let you know.
Any further updates are welcome on amakovec@cisco.com.
10-27-2010 01:13 AM
We are still investigating on the fix for this issue. It is more like a design question now. Soon we have some infos what we can share.
10-27-2010 01:30 AM
Dear Adam!
Thanks for the info!
Regards
Belabacsi
Budapest, Hungary
08-04-2011 03:45 AM
Hi Adam - Is there any update after this..? We are also facing same kind of strange REST-I issue in our FWSM Firewalls.
Regards...KSA
09-23-2011 06:17 AM
Dear Bélabá! :-)
Született-e már megoldás a fentebb vázolt problémára.
Egy kis RST nekünk is kellene a ritkábban használt TCP kapcsolatoknál!
Üdv,
10-10-2011 04:48 AM
Dear Károly! :-)
Sajnos jelen állapotában az FWSM továbbra sem küld TCP-RESET-et, számunka is nagyon hiányzik ennek lehetősége. (Jelenleg v4.1(6) verziót használunk.) Arról nincs információm, hogy az ASASM megjelenése az FWSM-es fejlesztéseket hogy fogja befolyásolni, de remélem hamarosan implementálásra kerül a funkció :-)
Üdvözlettel:
Bélabá
10-10-2011 04:54 AM
Thank you! :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide