Problem with TCP state-bypass ASA v8.32

i.va · ‎06-22-2011

Hi,

A customer network ist set up with 2 ASAs (both with v8.32) including asymmetric routing:

Internet Remote Network (Server HTTPS)

| |

ASA1 ASA2

(Gateway) |

| |

|----------------------------------------|

|

LAN

User PC

ASA 1 has routes to the remote network, and TCP-state-bypass set up in the global policy. HTTPS connections are made from the User PC using a Browser to a HTTPS server on the remote network.

TCP connections are working fine, but I am receiving "connection timeouts" after about an hour after the connection ist made (see logs attached). This is regardless of the client using the connection or not. So users are being kicked out of their session after about an hour. If I enter a static route on the client PC pointing to ASA2, the connection stays open. This means that the problem has to lie with ASA1, even though TCP state-byapass is configured.

Would appreciate any advice on this!

Regards,

Ingo

Kureli Sankar · ‎06-22-2011

We would need to see the following from both ASAs.

1. sh run timeout

2. sh run policy-map and the associated class-map and access-lists

3. syslogs when the user gets kicked out.

-KS

servicel · ‎06-22-2011

Thank you for the quick reply! The problem might not be resulting from asymmetric routing, since the customer reported closed connections even when a static route is added (the info I received above wasn't entirely correct). I will verify this myself hopefully tomorrow.

I noticed the default timeout conn is set to 1 hour on both ASAs:

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

My next step would be to increase this timeout, to see if it has an influence.