02-06-2013 04:58 PM - edited 03-11-2019 05:57 PM
Source: A workstation.
Destination: A webserver
Lets say the source initiated a TCP session towards the destination through the ASA and data was passed through it. The session has stayed idle for 1 hour after the passage of data. The timeout for TCP sessions on the firewall has been defined as 1:00:00. The firewall will timeout the session after 1 hour of idle time.
Question1: Is the source or the destination notified that the session has been timed out and the flow no longer exists and that the source should delete the state?
Question2: How long will the source or the destination have the TCP port open for?
Thanks,
DJ
02-07-2013 12:05 AM
Hi,
To my understanding the Cisco Firewall doesnt notify the host/server at all regarding the state of the connection on the actual firewall when we are talking about a connection that simply gets removed because of being idle on the firewall and reaching the configured timeout values.
The firewall also doesnt send anything when it blocks connections because of ACL. The TCP connection simply timeouts.
I think there are options on the ASA to modify the behaviour and send TCP RST for connections for example or configure something that determines if the connection is till active..... among other things. I just havent played around with them that much to be honest.
Heres a link to ASA 9.1 Command Reference to a configuration command that provides these possiblitites (Not alone by itself ofcourse)
http://www.cisco.com/en/US/docs/security/asa/asa91/command/reference/s1.html#wp1453113
I'd imagine its down to the host/server/software/etc to control how long the port stays open for. The firewall settings might simply timeout the connection and therefore block any continuation traffic if the hosts still think that the connection was up/active (Though usually I'd assume the endpoints either TCP RST or TCP FIN the connection)
- Jouni
02-07-2013 09:37 AM
Hi Jouni,
Thanks for the explanation and the link, its a great find. As I understand then, the ASA will only notify end hosts using a RST that the connection has been timed out if such a feature has been specifically configured by defining a policy map/class map in the global config and binding it to an interface.
Thanks again,
DJ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide