Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

FWSM + TCP reset problem

Hi All!

We have a strange problem regarding FWSM TCP connection timeout configuration using MPF: although the "reset" keyword has been set in policy-map, FWSM does not send any TCP-reset packet to the endpoints (monitored using WireShark).

We are using FWSM Firewall Version 4.0(3) and Device Manager Version 6.1(5)F

Please see the related configuration below:

Traffic originating from outside interface (source IP: 172.16.129.221) destined to an inside host (destination IP: 172.24.250.100) to TCP/22 or TCP/23.

!

access-list CONNS_TIMEOUT_TEST_ACL line 1 extended permit tcp host 172.16.129.221 host 172.24.250.100 eq ssh log disable

access-list CONNS_TIMEOUT_TEST_ACL line 1 extended permit tcp host 172.16.129.221 host 172.24.250.100 eq telnet log disable

!

!

service reset no-connection

!

class-map CONNS_TIMEOUT_TEST_CMAP

match access-list CONNS_TIMEOUT_TEST_ACL

!

policy-map CONNS_TIMEOUT_TEST_PMAP

class CONNS_TIMEOUT_TEST_CMAP

set connection timeout tcp 0:05:00 reset

!

icmp permit TESTNET_172.24.250.0 255.255.255.0 TESTNET_172.24.250.0/24

access-list TESTNET_172.24.250.0/24_access_in extended permit ip TESTNET_172.24.250.0 255.255.255.0 any log disable

!

object-group service TEST_OBJECT_GR tcp

port-object eq ssh

port-object eq telnet

access-list outside_access_in extended permit tcp host 172.16.129.221 host 172.24.250.100 object-group TEST_OBJECT_GR log disable

!

!

service-policy CONNS_TIMEOUT_TEST_PMAP interface outside

!

We are planning to upgrade the latest FWSM v4 software verion, because it seem to be a bug. Could anybody help me to solve this problem?

Any feedback would be appreciated! Thanks in advance! Belabacsi

9 REPLIES
New Member

Re: FWSM + TCP reset problem

News: We have updated to the latest FWSM software version: v4.0(6) but the problem still exists.

I have tested the configuration using ASA software version v8.2.1 (above configuration + TCP state bypass global map) and sending TCP reset is OK with ASA!

Any idea? Maybe FWSM bug?

Any feedback would be appreciated! Thanks in advance! Belabacsi

Bronze

Re: FWSM + TCP reset problem

The URL below provides a sample configuration for PIX 7.1(1) and later of a timeout that is specific to a particular application such as SSH/Telnet/HTTP, as opposed to one that applies to all applications. This configuration example uses the new Modular Policy Framework introduced in PIX 7.0. This feature is not applicable in an IPsec VPN environment.

In this sample configuration, the PIX Firewall is configured to allow the workstation (10.77.241.129) to Telnet/SSH/HTTP to the remote server (10.1.1.1) behind the router. A separate connection timeout to Telnet/SSH/HTTP traffic is also configured. All other TCP traffic continues to have the normal connection timeout value associated with timeout conn 1:00:00.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080624e19.shtml

Re: FWSM + TCP reset problem

Hi,

I'm looking at this issue, once the TAC case has been resolved I'll let you know.

Any further updates are welcome on amakovec@cisco.com.

Re: FWSM + TCP reset problem

We are still investigating on the fix for this issue. It is more like a design question now. Soon we have some infos what we can share.

New Member

Re: FWSM + TCP reset problem

Dear Adam!

Thanks for the info!

Regards

Belabacsi

Budapest, Hungary

New Member

FWSM + TCP reset problem

Hi Adam - Is there any update after this..? We are also facing same kind of strange REST-I issue in our FWSM Firewalls.

Regards...KSA

New Member

FWSM + TCP reset problem

Dear Bélabá! :-)

Született-e már megoldás a fentebb vázolt problémára.

Egy kis RST nekünk is kellene a ritkábban használt TCP kapcsolatoknál!

Üdv,

New Member

FWSM + TCP reset problem

Dear Károly! :-)

Sajnos jelen állapotában az FWSM továbbra sem küld TCP-RESET-et, számunka is nagyon hiányzik ennek lehetősége. (Jelenleg v4.1(6) verziót használunk.) Arról nincs információm, hogy az ASASM megjelenése az FWSM-es fejlesztéseket hogy fogja befolyásolni, de remélem hamarosan implementálásra kerül a funkció :-)

Üdvözlettel:

Bélabá

New Member

FWSM + TCP reset problem

Thank you! :-)

3276
Views
5
Helpful
9
Replies
CreatePlease to create content