Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ASA 8.4.3: Infinite SunRPC inspection timeout possible?

Hello!

We have an ASA5520 firewall which is used to secure some servers in the office. One server in the DMZ is accessing a NFS share on a higher security-level interface.

To make this work, we have allowed port 111 and enabled sunrpc-server as well as protocol inspection.

So far so good.

The mount and operation works fine but after <timeout> the session on the ASA gets closed.

This happens even if there is continous traffic via NFS.

The timeout setting seems to be an overall timeout for the translation and not only an idle-timeout (which would make sense)

configure mode commands/options:

  timeout  Idle time after which the hole for the SUNRPC service traffic will

           be closed

How can I make the translation permanent, NOT timeouting after a fixed time?

Configuring 00:00:00 as timeout setting is not accepted in the CLI

Thank you and best regards,

Bernhard

Everyone's tags (3)
3 REPLIES
Super Bronze

Re: Cisco ASA 8.4.3: Infinite SunRPC inspection timeout possible

Hi,

Seems to be possible

Cisco material states the following for your software version

timeout {conn | floating-conn | h225 | h323 | half-closed | icmp | mgcp | mgcp-pat | pat-xlatesip | sip-disconnect | sip-invite | sip_media | sip-provisional-media | sunrpctcp-proxy-reassembly | udp | xlate} hh:mm:ss

sunrpc

Specifies the idle time after which a SUNRPC slot will be closed,  between 0:1:0 and 1193:0:0. The default is 10 minutes (0:10:0). Use 0 to never time out a connection.

- Jouni

New Member

Re: Cisco ASA 8.4.3: Infinite SunRPC inspection timeout possible

I saw that but how do the settings correlate to each other?

Per sunrpc-server timeout setting e.g.

sunrpc-server intdmz 10.1.2.3 255.255.255.255 service 100005 protocol TCP port 111 timeout 02:00:00

and the global setting

timeout sunrpc 0

In my understanding it would make far more sense to have the global setting as default but with the ability to specify an optional timeout, for example:

Global timeout set to 30 minutes:

timeout sunrpc 00:30:00

Protocol inspection without timeout setting (uses global value, RFE)

sunrpc-server intdmz 10.1.2.3 255.255.255.255 service 100005 protocol TCP port 111

Protocol inspection with individual timeout setting

sunrpc-server intdmz 10.1.2.3 255.255.255.255 service 100005 protocol TCP port 111 timeout 02:00:00

Protocol inspection with infinite timeout setting (RFE)

sunrpc-server intdmz 10.1.2.3 255.255.255.255 service 100005 protocol TCP port 111 timeout 00:00:00

This will not break any existing configurations from previous ASA software releases.

Feedback welcome.

Best regards,

Bernhard

New Member

Re: Cisco ASA 8.4.3: Infinite SunRPC inspection timeout possible

Some additional informations:

I just configured "timeout sunrpc 0" and in the sunrpc-server statement a timeout of 10 minutes.

After exactly 10 minutes the client reports error messages and the session on the ASA is closed ("sh sun ac")

What to do?

1660
Views
3
Helpful
3
Replies