Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
403
Views
0
Helpful
5
Replies

FWSM - Servers behind dropping

sjoyce
Level 1
Level 1

‎04-03-2006 11:40 AM - edited ‎03-09-2019 02:29 PM

We have recently installed FWSM into 6509 chassis. Placed several VLANs (with servers attached) behind FWSM with NO restricions. PING OK but next day when users start using the Server Apps they report interruptions to the Servers. We are thinking that this may be a "keepalive" issue on the Servers. Has anyone had this issue? Any ideas on how to address this problem? Thanks Mucho!

Labels:
0 Helpful
5 Replies 5

Patrick Iseli
Level 7
Level 7

‎04-03-2006 06:14 PM

Have you checked the interface statistics, could also be a duplex issue.

See Monitoring PIX Performance: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_tech_notes_list.html

sincerely

Patrick

0 Helpful

lowen
Level 1
Level 1

‎04-06-2006 01:29 PM

It's not clear to me from your description what the problem is. If you're saying that existing connections appear hung after some period of inacitivity (rather than being unable to make new connections), then the problem is probably that your applications (tcp-based) don't use keepalives by default (telnet is an example of this). The default timeout for idle connections is 1 hour, and if you're not using keepalives, the existing connection will not respond after being idle that long (although new connections will be permitted).

There are 2 approaches to fix this ... you can configure the servers to use keepalives (exactly how you do this will vary from application to application and depend on your server operating system), or you can use a policy map to identify the applications that are timing out, and a service policy to reset the idle timeout for these applications.

The latter would look something like this:

access-list 101 permit tcp any any eq telnet

class-map telnet

description telnet traffic

match access-list 101

policy-map telnet

class telnet

set connection timeout tcp 10:00:00 reset

service-policy telnet interface outside

This will set the timeout to 10 hours (I don't knwo what the maximum is), and cause any applications that do timeout to close (reset), rather than hang around looking viable but unresponsive on the client side.

0 Helpful

sjoyce
Level 1
Level 1
In response to lowen

‎04-07-2006 08:40 AM

James thanks for your reply. I believe that you have addressed our problem. We will not know for sure until we move the Server VLANs behind the FWSM again (aprox 04\22). I will let you know.

Thanks Mucho!

0 Helpful

farussell
Level 1
Level 1

‎04-07-2006 01:24 PM

Hi,

Which version of FWSM code are you running? Which ports are you having problems with? There are some big issues with sqlnet 1521.

CSCsc35022 SQLNETfixup nonew connection allocated if oracle setup in shared mode

CSCsc87644 Sqlnet fixup fails to create data connections in some scenarios.

We have run into some very interesting problems with various fixups.

Good luck,

Felice

0 Helpful

sjoyce
Level 1
Level 1
In response to farussell

‎04-10-2006 05:21 AM

Felice, thanks for the info. I will check these out.

0 Helpful
Customers Also Viewed These Support Documents