08-24-2012 01:13 PM - edited 03-11-2019 04:46 PM
I am on version 8.2(1) of ASA Code.
When accessing a SQL server on a secure internal interface,(Traffic is sourcing from DMZ) i'm getting some timeouts on the initial connection on port 1433. All subsequent connections work fine. Packet tracer shows the connection builds properly, and shouldn't have a connectivity issue. The problem server is a webserver that connects back through the firewall to access the SQL server on port 1433. We also have many other webservers in the DMZ which access the same SQL server, but do not have the same timeout issues.
Here are my timeouts, from the config
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
arp timeout 14400
I've seen a couple articles about increasing the tcp timeout to 3 hours for the DMZ interface, but I'm not sure that's the best idea.
Does anyone have an idea what might be wrong?
08-25-2012 06:30 AM
Hi Bro
Based on your problem description, I personally don't think this is an issue with your Cisco Firewall. The reason being, you said "The problem server is a webserver that connects back through the firewall to access the SQL server on port 1433. We also have many other webservers in the DMZ which access the same SQL server, but do not have the same timeout issues."
Since all the other Web Servers in DMZ has no issues accessing the SQL server except for this particular one, then what I would propose you to do is to perform 2 packet captures from within the Cisco Firewall i.e. from the non-working Web Server to the SQL server and from a working Web Server to the SQL server and compare the packet capture output. Chances are this could be an application scripting issue. Let me know how it goes.
If you're not sure on how to perform packet captures from within your Cisco Firewall, please refer to this URL;
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide