Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Super Bronze

ASA-5585-X 8.4(6)5 Idle connections are not being removed according to timeout settings

Hi,

 

Just a quick question if anybody has run into a bug where the ASAs "timeout" settings are not being applied to idle connections.

 

It seems that our ASA running the software level 8.4(6)5 is not tearing down connections. This mainly seems to be a problem in one Security Context where there are around 300k UDP connections (related to VOIP phones) that are not being torn down. Idle timers on the connections are going as far as 700 hours. Common to all the UDP connections is also the fact that only 19 Bytes of data has been transmitted on the connection built on the firewall. I am not sure what the purpose of these UDP Connections is as both the source and destination port is a random high port.

 

I was not able find any Bug ID which description would match the situation I am seeing. I did not see anything in the release notes of 8.4(7) or its interrim release either that would list thing kind of bug.

 

- Jouni

3 REPLIES
Cisco Employee

Hi Jouni,This caveat seems to

Hi Jouni,

This caveat seems to be the closest match as 8.4.6 is the affected ASA code.
CSCuh13899

Symptoms:-
Some connection may not removed even after reaching idle timeout.

https://tools.cisco.com/bugsearch/bug/CSCuh13899/?reffering_site=dumpcr

You can upgrade to the next stable ASA code as suggested in the referred document.

 

HTH

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

 

 

Super Bronze

Hi, Sorry for the VERY late

Hi,

 

Sorry for the VERY late reply to your post :)

 

The BugID mentioned above is probably the problem in our case.

 

We will have to check what software level to upgrade to. One of the listed softwares we already tried previously with very bad results (ASA became nearly unusable). Seems we need to consider moving to some 9.x software level. Hopefully with less problems than we have had with the most recent 8.4(x) software levels.

 

- Jouni

Cisco Employee

Jouni, I am glad I was able

Jouni,

 

I am glad I was able to help you. Moreover, requirements for 8.X and 9.X are same in terms of memory so you can surely upgrade to 9.x which caters to more features for VPN and non VPN deployments.

Regards,
Dinesh Moudgil
 

298
Views
5
Helpful
3
Replies
CreatePlease login to create content