Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9180
Views
0
Helpful
3
Replies

UDP timeout ASA

Go to solution
networker99
Level 1
Level 1

‎01-31-2012 05:46 AM - edited ‎03-11-2019 03:21 PM

Hi all, just have a few questions about UDP timeout.

1. From what I understand connectionless protocols such as UDP have to idle out to be closed, as their is no connection information, is this correct?

2. Do these connections appear in the connection/State table? 

3. If you disable the UDP timeout on the firewall, doesnt this mean that the UDP sessions could fill up the state table as no of the connections woulf time out?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to networker99

‎02-01-2012 06:25 AM

Hello,

I think I did not explain my self on the last post I was talking about the behavior of the ASA with a stateful protocol, with the protocol udp the stateful firewall will use the hole punching as the method to detect or keep track of the connection.

Such sessions usually get the ESTABLISHED state immediately after the first packet is seen by the firewal

Sessions in connectionless protocols (like UDP) can only end by time-out.

But the ASA do keep track of these connections as I mention before.


Hope this helps!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎01-31-2012 09:29 PM

Hello,

1-There is no need for a connection to be idle in order to be closed, I mean there are other facts that will turn the connection down, also remember that the ASAS can statefully inspect TCP/UDP (by default)  and ICMP if configured.

2-Yes, they appear there.

3-Correct, if you have a timeout 0 0 that will cause some issues ( No ports available if PAT is being used,etc) as none of the connections are being closed.

Regards,

Julio

Do rate helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
networker99
Level 1
Level 1
In response to Julio Carvajal

‎02-01-2012 05:07 AM

"There is no need for a connection to be idle in order to be closed, I  mean there are other facts that will turn the connection down,"

Like what?  There is no state information so how does the firewall know the connection is done with?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to networker99

‎02-01-2012 06:25 AM

Hello,

I think I did not explain my self on the last post I was talking about the behavior of the ASA with a stateful protocol, with the protocol udp the stateful firewall will use the hole punching as the method to detect or keep track of the connection.

Such sessions usually get the ESTABLISHED state immediately after the first packet is seen by the firewal

Sessions in connectionless protocols (like UDP) can only end by time-out.

But the ASA do keep track of these connections as I mention before.


Hope this helps!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card