Re: UDP timeout on FWSM

inthemix1 · ‎03-19-2012

Hi,

I have an issue where udp idle sessions are not being closed after the configured 2 minute timeout, but instead staying open for 1 hour.

FWSM Version

FWSM Firewall Version 4.0(12)

Timeout configuration

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Connections

fwsm# show conn

UDP InterfaceA 192.168.1.1:123 InterfaceB 192.168.2.1:64795 idle 0:28:16 Bytes 376 FLAGS -

UDP InterfaceA 192.168.1.1:123 InterfaceB 192.168.2.1:53936 idle 0:18:15 Bytes 376 FLAGS -

UDP InterfaceA 192.168.1.1:123 InterfaceB 192.168.2.1:54244 idle 0:58:18 Bytes 376 FLAGS -

UDP InterfaceA 192.168.1.1:123 InterfaceB 192.168.2.1:52696 idle 0:38:17 Bytes 376 FLAGS -

UDP InterfaceA 192.168.1.1:123 InterfaceB 192.168.2.1:50206 idle 0:08:15 Bytes 376 FLAGS -

UDP InterfaceA 192.168.1.1:123 InterfaceB 192.168.2.1:54245 idle 0:48:18 Bytes 376 FLAGS -

NOTE: 192.168.2.1 is a PC polling an NTP (192.168.1.1) server every 10 minutes.

Any help would be greatly appreciated.

Cheers

Dan-Ciprian Cicioiu · ‎03-19-2012

Hi ,

If you do not have any policy-map applied that changes the UDP/123 timeouts, it might be a bug.

CSCso29047 Bug Details

set random-seq-number disable in MPC affects on UDP/ICMP conn timeout

Symptom:

When random-sequence-number is disabled in policy-map, this causes the UDP connection timeout set to 60 minutes when global timeout for UDP/ ICMP is set to two minutes.

Conditions:

Random-sequence-number is disabled in policy-map.

Workaround:

Do not disable random-sequence-number feature

If this is not the case, you can try opening a TAC case.

In my opinion I would upgrade the software first.

Regards

Dan