FWSM + TCP reset problem

Unanswered Question
Aug 11th, 2009

Hi All!

We have a strange problem regarding FWSM TCP connection timeout configuration using MPF: although the "reset" keyword has been set in policy-map, FWSM does not send any TCP-reset packet to the endpoints (monitored using WireShark).

We are using FWSM Firewall Version 4.0(3) and Device Manager Version 6.1(5)F

Please see the related configuration below:

Traffic originating from outside interface (source IP: destined to an inside host (destination IP: to TCP/22 or TCP/23.


access-list CONNS_TIMEOUT_TEST_ACL line 1 extended permit tcp host host eq ssh log disable

access-list CONNS_TIMEOUT_TEST_ACL line 1 extended permit tcp host host eq telnet log disable



service reset no-connection



match access-list CONNS_TIMEOUT_TEST_ACL




set connection timeout tcp 0:05:00 reset


icmp permit TESTNET_172.24.250.0 TESTNET_172.24.250.0/24

access-list TESTNET_172.24.250.0/24_access_in extended permit ip TESTNET_172.24.250.0 any log disable


object-group service TEST_OBJECT_GR tcp

port-object eq ssh

port-object eq telnet

access-list outside_access_in extended permit tcp host host object-group TEST_OBJECT_GR log disable



service-policy CONNS_TIMEOUT_TEST_PMAP interface outside


We are planning to upgrade the latest FWSM v4 software verion, because it seem to be a bug. Could anybody help me to solve this problem?

Any feedback would be appreciated! Thanks in advance! Belabacsi

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (1 ratings)
Bela Mareczky Mon, 08/17/2009 - 00:29

News: We have updated to the latest FWSM software version: v4.0(6) but the problem still exists.

I have tested the configuration using ASA software version v8.2.1 (above configuration + TCP state bypass global map) and sending TCP reset is OK with ASA!

Any idea? Maybe FWSM bug?

Any feedback would be appreciated! Thanks in advance! Belabacsi

vmoopeung Mon, 08/17/2009 - 11:30

The URL below provides a sample configuration for PIX 7.1(1) and later of a timeout that is specific to a particular application such as SSH/Telnet/HTTP, as opposed to one that applies to all applications. This configuration example uses the new Modular Policy Framework introduced in PIX 7.0. This feature is not applicable in an IPsec VPN environment.

In this sample configuration, the PIX Firewall is configured to allow the workstation ( to Telnet/SSH/HTTP to the remote server ( behind the router. A separate connection timeout to Telnet/SSH/HTTP traffic is also configured. All other TCP traffic continues to have the normal connection timeout value associated with timeout conn 1:00:00.


Adam Makovecz Wed, 10/27/2010 - 01:13

We are still investigating on the fix for this issue. It is more like a design question now. Soon we have some infos what we can share.

santosh.madaiah... Thu, 08/04/2011 - 03:45

Hi Adam - Is there any update after this..? We are also facing same kind of strange REST-I issue in our FWSM Firewalls.


KAROLY KOHEGYI Fri, 09/23/2011 - 06:17

Dear Bélabá! :-)

Született-e már megoldás a fentebb vázolt problémára.

Egy kis RST nekünk is kellene a ritkábban használt TCP kapcsolatoknál!


Bela Mareczky Mon, 10/10/2011 - 04:48

Dear Károly! :-)

Sajnos jelen állapotában az FWSM továbbra sem küld TCP-RESET-et, számunka is nagyon hiányzik ennek lehetősége. (Jelenleg v4.1(6) verziót használunk.) Arról nincs információm, hogy az ASASM megjelenése az FWSM-es fejlesztéseket hogy fogja befolyásolni, de remélem hamarosan implementálásra kerül a funkció :-)




This Discussion