Hello, I send the config of FWSM. I hope that you can help me.

Thank you for all.

Regards.

I want to say that after a certain amount of time the FWSM tears down the connection.

Sorry for my English.

Hi

Are these connections from clients or from mid-tier servers.

We have faced a similiar problem on our pix firewalls, both standalone and FWSM. The mid-tiers would open database connections and then assume that these connection would be open forever. The firewall would tear them down if their was no activity on the connection but the mid-tier still assumed it was open so it didn't try to recreate a new connection.

We had to increase the tcp timeouts on our firewalls, on at least some of them we had to have an unlimited timeout, not ideal but they are coping okay.

The problem is that timeouts are global altho i believe with v3.1 you could apply a timeout to particular connections only without having to apply it to all connections through the firewall.

HTH

Hi Jon,

For PIX/ASA, Optionally we can use the DCD feature available version 7.2 onwards.

Here's the URL to refer..

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008063705c.html#wp1053110

Hope this helps.

-VJ

Hi VJ

Many thanks for that. Very useful info.

Jon

Hello, these connections are from mid-tier servers. Do you know how have I to change the timeouts.

I have posted the config too.

thank you for all and sorry for my bad English.

Regards.

Hi Marquez,

I agree with the post by the fellow netpro.

You might have to increase the TCP IDLE connection timetout values, so that the FWSM doesn't tears down a idle connection.

You can tune the TCP connection timeout parameter as mentioned in the below URL

http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a0080577c66.html#wp1058493

-VJ

Please, someone can send to me the config of some equipment of your with respect to timeouts.

Thank you for all.

Regards

Hi Marquez,

As mentioned in the URL provided by me in the earlier post, this would be the configuration to set the tcp timeout to 1440 minutes => 24 hours. Change the value suitably to your requirement.

hostname (config)#policy map tcp_conn_timeout

hostname (config)#class alltcp_traffic

hostname (config)#set connection timeout tcp 1440

hostname (config)#service policy tcp_conn_timeout global

Hope this helps. Kindly rate the post if it was helpful.

-VJ

Hello vijayasankar, I would to like to know if these commands need to be introduced in FWSM or in Catalyst 6500 where FWSM is installed. I comment this, because I have intended to introduce these commands in FWSM and FWSM don't support these commands.

Thank you.

Regards.

Hi Marquez

The commands VJ sent are for Firewall version 3.1. They are meant to be added to the FWSM not the MSFC.

Unfortunately you are running v2.3(3) and these commands are not supported in that release.

You can either upgrade, but be aware that 2.3 is equivalent to 6.3 pix and 3.1 is equivalent to version 7 so there are some major changes or

you can increase the timeout of ALL your tcp connections. In v2.3 it is a global setting so it will affect all tcp connections.

As i say we did this on some of our firewalls, not internet facing firewalls but firewalls in our data centre.

If you want to do this you need to change the timeout line ie from your config

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout conn 1:00 is for the tcp connections. 1:00:00 = 1 hour.

HTH

Hi Marquez,

I had similar a issue with our backup software. TCP connection would remian open for too long and the FWSM would eventually terminate then.

I change the timeout value to 8 hours and the problem was fixed.

The command on our FWSM running v2.3 was: timeout conn 8:00:00

If you do this, keep an eye on your FW resources (memory) to make sure the number of open connections does exhaust you system (not likely unless you have a great number of connections)

Hope this helps

Remy