cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
783
Views
5
Helpful
3
Replies

ASA-5585-X 8.4(6)5 Idle connections are not being removed according to timeout settings

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

 

Just a quick question if anybody has run into a bug where the ASAs "timeout" settings are not being applied to idle connections.

 

It seems that our ASA running the software level 8.4(6)5 is not tearing down connections. This mainly seems to be a problem in one Security Context where there are around 300k UDP connections (related to VOIP phones) that are not being torn down. Idle timers on the connections are going as far as 700 hours. Common to all the UDP connections is also the fact that only 19 Bytes of data has been transmitted on the connection built on the firewall. I am not sure what the purpose of these UDP Connections is as both the source and destination port is a random high port.

 

I was not able find any Bug ID which description would match the situation I am seeing. I did not see anything in the release notes of 8.4(7) or its interrim release either that would list thing kind of bug.

 

- Jouni

3 Replies 3

Dinesh Moudgil
Cisco Employee
Cisco Employee

Hi Jouni,

This caveat seems to be the closest match as 8.4.6 is the affected ASA code.
CSCuh13899

Symptoms:-
Some connection may not removed even after reaching idle timeout.

https://tools.cisco.com/bugsearch/bug/CSCuh13899/?reffering_site=dumpcr

You can upgrade to the next stable ASA code as suggested in the referred document.

 

HTH

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

 

 

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Hi,

 

Sorry for the VERY late reply to your post :)

 

The BugID mentioned above is probably the problem in our case.

 

We will have to check what software level to upgrade to. One of the listed softwares we already tried previously with very bad results (ASA became nearly unusable). Seems we need to consider moving to some 9.x software level. Hopefully with less problems than we have had with the most recent 8.4(x) software levels.

 

- Jouni

Jouni,

 

I am glad I was able to help you. Moreover, requirements for 8.X and 9.X are same in terms of memory so you can surely upgrade to 9.x which caters to more features for VPN and non VPN deployments.

Regards,
Dinesh Moudgil
 

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: