Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2393
Views
0
Helpful
1
Replies

Initial connections to sql servers timeout through ASA

lcnorwood
Level 1
Level 1

‎08-24-2012 01:13 PM - edited ‎03-11-2019 04:46 PM

I am on version 8.2(1) of ASA Code.

When accessing a SQL server on a secure internal interface,(Traffic is sourcing from DMZ) i'm getting some timeouts on the initial connection on port 1433.   All subsequent connections work fine.   Packet tracer shows the connection builds properly, and shouldn't have a connectivity issue.   The problem server is a webserver that connects back through the firewall to access the SQL server on port 1433.    We also have many other webservers in the DMZ which access the same SQL server, but do not have the same timeout issues.  

Here are my timeouts, from the config

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

arp timeout 14400

I've seen a couple articles about increasing the tcp timeout to 3 hours for the DMZ interface, but I'm not sure that's the best idea.

Does anyone have an idea what might be wrong? 

Labels:
0 Helpful
1 Reply 1

Ramraj Sivagnanam Sivajanam
Level 4
Level 4

‎08-25-2012 06:30 AM

Hi Bro

Based on your problem description, I personally don't think this is an issue with your Cisco Firewall. The reason being, you said "The problem server is a webserver that connects back through the firewall to access the SQL server on port 1433. We also have many other webservers in the DMZ which access the same SQL server, but do not have the same timeout issues."

Since all the other Web Servers in DMZ has no issues accessing the SQL server except for this particular one, then what I would propose you to do is to perform 2 packet captures from within the Cisco Firewall i.e. from the non-working Web Server to the SQL server and from a     working Web Server to the SQL server and compare the packet capture output. Chances are this could be an application scripting issue. Let me know how it goes.

If you're not sure on how to perform packet captures from within your Cisco Firewall, please refer to this URL;

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml      

Warm regards,
Ramraj Sivagnanam Sivajanam
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card