04-03-2006 11:40 AM - edited 03-09-2019 02:29 PM
We have recently installed FWSM into 6509 chassis. Placed several VLANs (with servers attached) behind FWSM with NO restricions. PING OK but next day when users start using the Server Apps they report interruptions to the Servers. We are thinking that this may be a "keepalive" issue on the Servers. Has anyone had this issue? Any ideas on how to address this problem? Thanks Mucho!
04-03-2006 06:14 PM
Have you checked the interface statistics, could also be a duplex issue.
See Monitoring PIX Performance: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_tech_notes_list.html
sincerely
Patrick
04-06-2006 01:29 PM
It's not clear to me from your description what the problem is. If you're saying that existing connections appear hung after some period of inacitivity (rather than being unable to make new connections), then the problem is probably that your applications (tcp-based) don't use keepalives by default (telnet is an example of this). The default timeout for idle connections is 1 hour, and if you're not using keepalives, the existing connection will not respond after being idle that long (although new connections will be permitted).
There are 2 approaches to fix this ... you can configure the servers to use keepalives (exactly how you do this will vary from application to application and depend on your server operating system), or you can use a policy map to identify the applications that are timing out, and a service policy to reset the idle timeout for these applications.
The latter would look something like this:
access-list 101 permit tcp any any eq telnet
class-map telnet
description telnet traffic
match access-list 101
policy-map telnet
class telnet
set connection timeout tcp 10:00:00 reset
service-policy telnet interface outside
This will set the timeout to 10 hours (I don't knwo what the maximum is), and cause any applications that do timeout to close (reset), rather than hang around looking viable but unresponsive on the client side.
04-07-2006 08:40 AM
James thanks for your reply. I believe that you have addressed our problem. We will not know for sure until we move the Server VLANs behind the FWSM again (aprox 04\22). I will let you know.
Thanks Mucho!
04-07-2006 01:24 PM
Hi,
Which version of FWSM code are you running? Which ports are you having problems with? There are some big issues with sqlnet 1521.
CSCsc35022 SQLNETfixup nonew connection allocated if oracle setup in shared mode
CSCsc87644 Sqlnet fixup fails to create data connections in some scenarios.
We have run into some very interesting problems with various fixups.
Good luck,
Felice
04-10-2006 05:21 AM
Felice, thanks for the info. I will check these out.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide