ASA5505 and tcp connections drops.?

Unanswered Question
Jun 10th, 2010
User Badges:

Hi there. I have a strange issue.

I have a ASA 5505 with some clients behind it who connects to an offsite database.

They run the application all day, but for longer periods of times, ie 1-2 hours they are idle in the application.

When they start using the application again they get messaages that they have been disconnected from the databse or they get an unresponsive

applications for like 5-10 minutes beforeit starts to function again.

To solve this I thought I increase the tcp timeout so I did, for the client server traffic. Now it's set to 4 hrs.


BUT I still get the error.??


Has anyone got a clue what could cause this ?



Regards Joel

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Thu, 06/10/2010 - 07:22
User Badges:
  • Green, 3000 points or more

Hi,


Isn't the application itself where the're getting disconnected at?

I don't think they are being disconnected by the ASA if you increased the TCP timeout.


Do you know if the PING works all the time (even when they are disconnected)?


I just want to know if the issue is that the connection is being torn down by the ASA or that the application itself disconnects the users after an idle period.


Federico.

j-tagesson Thu, 06/10/2010 - 07:37
User Badges:

Good thinking.

I was thinking that my new 4 hrs tcp timeout sh conn would work as proof that It's not the ASA firewall.


Meanwhile the server guys put a client outside the firewall...

And that client haven't had the disconnect issue..


So I guess the problem came right back at us. :-)



Ping works all the time btw.

Federico Coto F... Thu, 06/10/2010 - 07:43
User Badges:
  • Green, 3000 points or more

mmm...

If the ASA is causing the problem, then it should show in the logs.

Can you post the logs?


Federico.

j-tagesson Thu, 06/10/2010 - 07:56
User Badges:

Here's where it's getting tricky.. I can't seem to find anything in the logs. I have set up a syslog server but either I have set up the logging wrong or

it doesn't show any error..


For instance, I get  local1.warning and local1.notice but I can't find any errors regarding this communication


Here's my logging: (attatched file)


Am I doing something wrong ?

Also, I have logging informational on the rule with the traffic from client to server.

Federico Coto F... Thu, 06/10/2010 - 08:29
User Badges:
  • Green, 3000 points or more

You're not getting any logs on the syslog server?

Can you change it to level debugging?


Federico.

j-tagesson Fri, 06/11/2010 - 00:12
User Badges:

Sorry. I'm getting logs to syslog , jut not anything interesting with the ipadresses that I've specified.


I can change it to debugging and se if anything happends..

j-tagesson Fri, 06/11/2010 - 00:45
User Badges:

I found out that I had to enable 106100 messages which by default didn't get logged to syslog.. Now I'm getting my traffic sent to the syslog server.

Federico Coto F... Fri, 06/11/2010 - 09:13
User Badges:
  • Green, 3000 points or more

Great!

Can you see if you're getting logs related to this connection?


Federico.

rcordeiro Thu, 07/08/2010 - 02:56
User Badges:

Hi,


Did you solve this? I'm having the same problem.


Regards

Michichael Thu, 07/29/2010 - 16:53
User Badges:

Same problem on my end. Only thing I can see is when the connection drops, I get this logged:


6    Jul 29 2010    16:47:56    302014    99.100.154.220    3389    10.20.12.214    9261    Teardown TCP connection 49927 for outside:99.100.154.220/3389 to inside:10.20.12.214/9261 duration 0:13:39 bytes 3083949 TCP Reset-I


that's the only indicator I have of anything going wrong on this, and that's when it drops.


My configuration is all but virgin - no funky ACL's - just base implied allows

rcordeiro Fri, 07/30/2010 - 02:17
User Badges:

Hi,


My problem was with connections to a database, if the connections reached the idle limit the firewall closes the connection and next time someone did something on the appliacation.

I solved this creating a "Service Application Rule" with a ACL to the interesting traffic and defining 5 hours for the connection timeout (if someone leave the application idle for more than 5 hour it could easily restart it).


Regards,


Rui Cordeiro

Michichael Fri, 07/30/2010 - 08:54
User Badges:

rcordeiro wrote:


Hi,


My problem was with connections to a database, if the connections reached the idle limit the firewall closes the connection and next time someone did something on the appliacation.

I solved this creating a "Service Application Rule" with a ACL to the interesting traffic and defining 5 hours for the connection timeout (if someone leave the application idle for more than 5 hour it could easily restart it).


Regards,


Rui Cordeiro


Thanks for the info Rui, unfortunately, I don't think this is the case here. I'll have to keep looking.


This problem happens randomly - download a youtube video and it will just stop at a random point and you have to refresh the page. Do so and it might work, or might stop at a different point.


Remote desktop to my home server, same thing.


The connections die with a RESET-I logged, but I don't see any reason for the reset.

Actions

This Discussion

Related Content