Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3038
Views
3
Helpful
3
Replies

Cisco ASA 8.4.3: Infinite SunRPC inspection timeout possible?

Bernhard Roth
Level 1
Level 1

‎04-17-2012 09:34 AM - edited ‎03-11-2019 03:54 PM

Hello!

We have an ASA5520 firewall which is used to secure some servers in the office. One server in the DMZ is accessing a NFS share on a higher security-level interface.

To make this work, we have allowed port 111 and enabled sunrpc-server as well as protocol inspection.

So far so good.

The mount and operation works fine but after <timeout> the session on the ASA gets closed.

This happens even if there is continous traffic via NFS.

The timeout setting seems to be an overall timeout for the translation and not only an idle-timeout (which would make sense)

configure mode commands/options:

  timeout  Idle time after which the hole for the SUNRPC service traffic will

           be closed

How can I make the translation permanent, NOT timeouting after a fixed time?

Configuring 00:00:00 as timeout setting is not accepted in the CLI

Thank you and best regards,

Bernhard

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎04-17-2012 09:51 AM

Hi,

Seems to be possible

Cisco material states the following for your software version

timeout {conn | floating-conn | h225 | h323 | half-closed | icmp | mgcp | mgcp-pat | pat-xlatesip | sip-disconnect | sip-invite | sip_media | sip-provisional-media | sunrpctcp-proxy-reassembly | udp | xlate} hh:mm:ss

sunrpc

Specifies the idle time after which a SUNRPC slot will be closed,  between 0:1:0 and 1193:0:0. The default is 10 minutes (0:10:0). Use 0 to never time out a connection.

- Jouni

Bernhard Roth
Level 1
Level 1
In response to Jouni Forss

‎04-17-2012 10:25 AM

I saw that but how do the settings correlate to each other?

Per sunrpc-server timeout setting e.g.

sunrpc-server intdmz 10.1.2.3 255.255.255.255 service 100005 protocol TCP port 111 timeout 02:00:00

and the global setting

timeout sunrpc 0

In my understanding it would make far more sense to have the global setting as default but with the ability to specify an optional timeout, for example:

Global timeout set to 30 minutes:

timeout sunrpc 00:30:00

Protocol inspection without timeout setting (uses global value, RFE)

sunrpc-server intdmz 10.1.2.3 255.255.255.255 service 100005 protocol TCP port 111

Protocol inspection with individual timeout setting

sunrpc-server intdmz 10.1.2.3 255.255.255.255 service 100005 protocol TCP port 111 timeout 02:00:00

Protocol inspection with infinite timeout setting (RFE)

sunrpc-server intdmz 10.1.2.3 255.255.255.255 service 100005 protocol TCP port 111 timeout 00:00:00

This will not break any existing configurations from previous ASA software releases.

Feedback welcome.

Best regards,

Bernhard

0 Helpful

Bernhard Roth
Level 1
Level 1
In response to Bernhard Roth

‎04-17-2012 11:27 AM

Some additional informations:

I just configured "timeout sunrpc 0" and in the sunrpc-server statement a timeout of 10 minutes.

After exactly 10 minutes the client reports error messages and the session on the ASA is closed ("sh sun ac")

What to do?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card