Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

FWSM sysopt connection timewait ?

Hi

Is the command 'sysopt connection timewait' available on the FWSM 3.2? There is something written in the manual: [quote]

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, 3.2 -- Whole Book PDF" available on the page you sent me to and go to page 6-86 we see the following.

Command

sysopt connection timewait

Description

Forces each TCP connection to linger in a shortened TIME_WAIT state after the final normal TCP close-down sequence

[/quote]

But on the other hand it's not listed as an available command in the list of commands...

So is it available? What are the options for configuring it? What is the impact for the network?

Our backupsoftware supplier asked us to lower it to 30 seconds or less.

thanks

pato

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: FWSM sysopt connection timewait ?

The command "sysopt connection timewait" is a global command that is no longer available on version 3.2.

You can configure the same feature with MPF with configuring specific traffic that you would like to lower the TCP timewait on.

Here is the command reference:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/command/reference/s1.html#wp2699979

Hope that helps.

4 REPLIES
Cisco Employee

Re: FWSM sysopt connection timewait ?

The command "sysopt connection timewait" is a global command that is no longer available on version 3.2.

You can configure the same feature with MPF with configuring specific traffic that you would like to lower the TCP timewait on.

Here is the command reference:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/command/reference/s1.html#wp2699979

Hope that helps.

Re: FWSM sysopt connection timewait ?

Thanks for your answer. In that case we can't change it to a time that the manufactor would like to have (around 5-10

seconds).

Cisco Employee

Re: FWSM sysopt connection timewait ?

On FWSM architecture, the connection is actually removed as soon as they are closed, hence the "sysopt connection timewait" actually serves no purpose, hence it is no longer available in the later version.

What is your software vendor actually trying to achieve? Do they want to close down the connection around 5-10 seconds after the TCP session is idle? If that is what they are trying to achieve, then you can implement it using the "set connection timeout" command advised earlier.

Re: FWSM sysopt connection timewait ?

The issue is that the software tries to re-use the same port for a new connection. The firewall will block that with:

%FWSM-6-106028: Deny TCP (Connection marked for Deletion) from x.x.x.x/xx to x.x.x.x/xx flags SYN  on interface inside

And this itself is caused because of the time_wait period which seems to be set to 240 seconds. What I would need is to lower that one to 10-30 seconds.

The set connection timeout tcp or idle has a minimum of 5 minutes as per your attached link.

4841
Views
5
Helpful
4
Replies
CreatePlease to create content