We have a strange problem regarding FWSM TCP connection timeout configuration using MPF: although the "reset" keyword has been set in policy-map, FWSM does not send any TCP-reset packet to the endpoints (monitored using WireShark).
We are using FWSM Firewall Version 4.0(3) and Device Manager Version 6.1(5)F
Please see the related configuration below:
Traffic originating from outside interface (source IP: 172.16.129.221) destined to an inside host (destination IP: 172.24.250.100) to TCP/22 or TCP/23.
access-list CONNS_TIMEOUT_TEST_ACL line 1 extended permit tcp host 172.16.129.221 host 172.24.250.100 eq ssh log disable
access-list CONNS_TIMEOUT_TEST_ACL line 1 extended permit tcp host 172.16.129.221 host 172.24.250.100 eq telnet log disable
service reset no-connection
match access-list CONNS_TIMEOUT_TEST_ACL
set connection timeout tcp 0:05:00 reset
icmp permit TESTNET_172.24.250.0 255.255.255.0 TESTNET_172.24.250.0/24
access-list TESTNET_172.24.250.0/24_access_in extended permit ip TESTNET_172.24.250.0 255.255.255.0 any log disable
object-group service TEST_OBJECT_GR tcp
port-object eq ssh
port-object eq telnet
access-list outside_access_in extended permit tcp host 172.16.129.221 host 172.24.250.100 object-group TEST_OBJECT_GR log disable
service-policy CONNS_TIMEOUT_TEST_PMAP interface outside
We are planning to upgrade the latest FWSM v4 software verion, because it seem to be a bug. Could anybody help me to solve this problem?
Any feedback would be appreciated! Thanks in advance! Belabacsi