ASA breaks ASP application on IIS

Unanswered Question
Nov 5th, 2009

We have a Windows 2003 server running IIS and a custom built application on it. Before we switched to an ASA5520 we had a Watchguard Firebox appliance in front of it and all was good. After the switch to the ASA we started getting reports of the application not working correctly. We got the programers to look at it and the said that it seemed to be some problem with the application session state info communication with client machines. Since the application code had not changed I looked at the firewall switch. Sure enough when we run the application from inside the firewall it works as it should. Clients coming in from the outside and thru the ASA have problems. What type of configuration setting should I be lookking for on the ASA to fix this?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Panos Kampanakis Fri, 11/06/2009 - 10:45

It all depends on the application. If it is that the app keeps a conn open more than 1h idle then the ASA will time it out and close it. You can change the connection timeouts for that conn by using class map and a policy map to do "set connection timeout". Here is an example

access-list app-acl ext perm tcp host host

class-map app_traffic

match access-list app-acl

policy-map global-policy

class app_traffic

set connection timeout tcp 3:0:0 (timeout of 3 hours)

I hope it helps.


DIEGO ALONSO Fri, 11/06/2009 - 12:52

I don't think its a connection timeout because the problem shows when users are filling out forms and clicking "submit" or "ok" buttons. They are never sitting idel for more than a couple of seconds actually.

The developers think that somehow the ASA is creating multiple connections and/or sessions for the clients so that when they click submit or ok the application responds to the incorrect session. Does that makes sense?




This Discussion