Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
736
Views
0
Helpful
2
Replies

Is source notified after TCP timeout on firewall?

dhananjay95929
Level 1
Level 1

‎02-06-2013 04:58 PM - edited ‎03-11-2019 05:57 PM

Source: A workstation.

Destination: A webserver

Lets say the source initiated a TCP session towards the destination through the ASA and data was passed through it. The session has stayed idle for 1 hour after the passage of data. The timeout for TCP sessions on the firewall has been defined as 1:00:00. The firewall will timeout the session after 1 hour of idle time.

Question1: Is the source or the destination notified that the session has been timed out and the flow no longer exists and that the source should delete the state?

Question2: How long will the source or the destination have the TCP port open for?

Thanks,

DJ

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎02-07-2013 12:05 AM

Hi,

To my understanding the Cisco Firewall doesnt notify the host/server at all regarding the state of the connection on the actual firewall when we are talking about a connection that simply gets removed because of being idle on the firewall and reaching the configured timeout values.

The firewall also doesnt send anything when it blocks connections because of ACL. The TCP connection simply timeouts.

I think there are options on the ASA to modify the behaviour and send TCP RST for connections for example or configure something that determines if the connection is till active..... among other things. I just havent played around with them that much to be honest.

Heres a link to ASA 9.1 Command Reference to a configuration command that provides these possiblitites (Not alone by itself ofcourse)

http://www.cisco.com/en/US/docs/security/asa/asa91/command/reference/s1.html#wp1453113

I'd imagine its down to the host/server/software/etc to control how long the port stays open for. The firewall settings might simply timeout the connection and therefore block any continuation traffic if the hosts still think that the connection was up/active (Though usually I'd assume the endpoints either TCP RST or TCP FIN the connection)

- Jouni

0 Helpful

dhananjay95929
Level 1
Level 1
In response to Jouni Forss

‎02-07-2013 09:37 AM

Hi Jouni,

Thanks for the explanation and the link, its a great find. As I understand then, the ASA will only notify end hosts using a RST that the connection has been timed out if such a feature has been specifically configured by defining a policy map/class map in the global config and binding it to an interface.

Thanks again,

DJ

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card