ASA longterm connections - how to find them

Pavel Pokorny · ‎02-26-2014

Dear all,

Accidentaly I have discovered, that idle timeout on ASA not always works as I expected.

Can somebody explain me, why I can see something like this (addresses changed, but time info remained)?

UDP outside:192.168.1.1/43501 inside:192.168.0.102/16327,

flags -, idle 8D14h, uptime 257D3h, timeout 2m0s, bytes 19

I always thought, that after idle timer reaches timeout, then connections is cleared.

I can find this behaviour on 8.4.3 and 8.4.6 (other realeases not tested).

Do you have any command to list such connections? I mean where idle is greater than something (i.e.

sh local-host connection udp 500 - lists all hosts with more than 500 UDP connections).

Thank you very much.

Pavel

Jouni Forss · ‎02-26-2014

Hi,

We have an ASA running 8.4(6) that I just noticed had a few connections that have been idle for 16 days straight. This seems to be only for the UDP Connections that I have seen so far in the firewall that I am looking at

Here partial output from one connection

flags -, idle 13D7h, uptime 13D7h, timeout 2m0s, bytes 19

So pretty much same as yours.

I would have to say that this is some bug.

I could not find any matching bug yet but there has been a couple of discussion where the situation has been the same but there has been no updates on those discussion.

I am not really sure if the ASA has any options to look for connections based on their idle/uptime timers.

I guess you would have to resort to somekind of combination of "show" command and the user of regex.

- Jouni

Pavel Pokorny · ‎02-27-2014

Hi,

I think it's bug also.

I also do sometning like this : sh conn all | ex idle [0]:

BUT, when I find such a connection a have to delete it manualy one by one, which is annoying. I was wondering if someone knows ie undocumented command for such a purpose (delete all connection idle then).

Anyway thank for response.

Pavel