cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4230
Views
5
Helpful
9
Replies

FWSM + TCP reset problem

Bela Mareczky
Level 1
Level 1

Hi All!

We have a strange problem regarding FWSM TCP connection timeout configuration using MPF: although the "reset" keyword has been set in policy-map, FWSM does not send any TCP-reset packet to the endpoints (monitored using WireShark).

We are using FWSM Firewall Version 4.0(3) and Device Manager Version 6.1(5)F

Please see the related configuration below:

Traffic originating from outside interface (source IP: 172.16.129.221) destined to an inside host (destination IP: 172.24.250.100) to TCP/22 or TCP/23.

!

access-list CONNS_TIMEOUT_TEST_ACL line 1 extended permit tcp host 172.16.129.221 host 172.24.250.100 eq ssh log disable

access-list CONNS_TIMEOUT_TEST_ACL line 1 extended permit tcp host 172.16.129.221 host 172.24.250.100 eq telnet log disable

!

!

service reset no-connection

!

class-map CONNS_TIMEOUT_TEST_CMAP

match access-list CONNS_TIMEOUT_TEST_ACL

!

policy-map CONNS_TIMEOUT_TEST_PMAP

class CONNS_TIMEOUT_TEST_CMAP

set connection timeout tcp 0:05:00 reset

!

icmp permit TESTNET_172.24.250.0 255.255.255.0 TESTNET_172.24.250.0/24

access-list TESTNET_172.24.250.0/24_access_in extended permit ip TESTNET_172.24.250.0 255.255.255.0 any log disable

!

object-group service TEST_OBJECT_GR tcp

port-object eq ssh

port-object eq telnet

access-list outside_access_in extended permit tcp host 172.16.129.221 host 172.24.250.100 object-group TEST_OBJECT_GR log disable

!

!

service-policy CONNS_TIMEOUT_TEST_PMAP interface outside

!

We are planning to upgrade the latest FWSM v4 software verion, because it seem to be a bug. Could anybody help me to solve this problem?

Any feedback would be appreciated! Thanks in advance! Belabacsi

9 Replies 9

Bela Mareczky
Level 1
Level 1

News: We have updated to the latest FWSM software version: v4.0(6) but the problem still exists.

I have tested the configuration using ASA software version v8.2.1 (above configuration + TCP state bypass global map) and sending TCP reset is OK with ASA!

Any idea? Maybe FWSM bug?

Any feedback would be appreciated! Thanks in advance! Belabacsi

vmoopeung
Level 5
Level 5

The URL below provides a sample configuration for PIX 7.1(1) and later of a timeout that is specific to a particular application such as SSH/Telnet/HTTP, as opposed to one that applies to all applications. This configuration example uses the new Modular Policy Framework introduced in PIX 7.0. This feature is not applicable in an IPsec VPN environment.

In this sample configuration, the PIX Firewall is configured to allow the workstation (10.77.241.129) to Telnet/SSH/HTTP to the remote server (10.1.1.1) behind the router. A separate connection timeout to Telnet/SSH/HTTP traffic is also configured. All other TCP traffic continues to have the normal connection timeout value associated with timeout conn 1:00:00.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080624e19.shtml

Adam Makovecz
Level 1
Level 1

Hi,

I'm looking at this issue, once the TAC case has been resolved I'll let you know.

Any further updates are welcome on amakovec@cisco.com.

We are still investigating on the fix for this issue. It is more like a design question now. Soon we have some infos what we can share.

Dear Adam!

Thanks for the info!

Regards

Belabacsi

Budapest, Hungary

Hi Adam - Is there any update after this..? We are also facing same kind of strange REST-I issue in our FWSM Firewalls.

Regards...KSA

Dear Bélabá! :-)

Született-e már megoldás a fentebb vázolt problémára.

Egy kis RST nekünk is kellene a ritkábban használt TCP kapcsolatoknál!

Üdv,

Dear Károly! :-)

Sajnos jelen állapotában az FWSM továbbra sem küld TCP-RESET-et, számunka is nagyon hiányzik ennek lehetősége. (Jelenleg v4.1(6) verziót használunk.) Arról nincs információm, hogy az ASASM megjelenése az FWSM-es fejlesztéseket hogy fogja befolyásolni, de remélem hamarosan implementálásra kerül a funkció :-)

Üdvözlettel:

Bélabá

Thank you! :-)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: