Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Initial connections to sql servers timeout through ASA

I am on version 8.2(1) of ASA Code.

When accessing a SQL server on a secure internal interface,(Traffic is sourcing from DMZ) i'm getting some timeouts on the initial connection on port 1433.   All subsequent connections work fine.   Packet tracer shows the connection builds properly, and shouldn't have a connectivity issue.   The problem server is a webserver that connects back through the firewall to access the SQL server on port 1433.    We also have many other webservers in the DMZ which access the same SQL server, but do not have the same timeout issues.  

Here are my timeouts, from the config

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

arp timeout 14400

I've seen a couple articles about increasing the tcp timeout to 3 hours for the DMZ interface, but I'm not sure that's the best idea.

Does anyone have an idea what might be wrong? 

Everyone's tags (5)
1 REPLY

Re: Initial connections to sql servers timeout through ASA

Hi Bro

Based on your problem description, I personally don't think this is an issue with your Cisco Firewall. The reason being, you said "The problem server is a webserver that connects back through the firewall to access the SQL server on port 1433. We also have many other webservers in the DMZ which access the same SQL server, but do not have the same timeout issues."

Since all the other Web Servers in DMZ has no issues accessing the SQL server except for this particular one, then what I would propose you to do is to perform 2 packet captures from within the Cisco Firewall i.e. from the non-working Web Server to the SQL server and from a     working Web Server to the SQL server and compare the packet capture output. Chances are this could be an application scripting issue. Let me know how it goes.

If you're not sure on how to perform packet captures from within your Cisco Firewall, please refer to this URL;

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml      

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
1612
Views
0
Helpful
1
Replies
CreatePlease login to create content