Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

UDP timeout ASA

Hi all, just have a few questions about UDP timeout.

1. From what I understand connectionless protocols such as UDP have to idle out to be closed, as their is no connection information, is this correct?

2. Do these connections appear in the connection/State table? 

3. If you disable the UDP timeout on the firewall, doesnt this mean that the UDP sessions could fill up the state table as no of the connections woulf time out?

1 ACCEPTED SOLUTION

Accepted Solutions

UDP timeout ASA

Hello,

I think I did not explain my self on the last post I was talking about the behavior of the ASA with a stateful protocol, with the protocol udp the stateful firewall will use the hole punching as the method to detect or keep track of the connection.

Such sessions usually get the ESTABLISHED state immediately after the first packet is seen by the firewal

Sessions in connectionless protocols (like UDP) can only end by time-out.

But the ASA do keep track of these connections as I mention before.


Hope this helps!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
3 REPLIES

UDP timeout ASA

Hello,

1-There is no need for a connection to be idle in order to be closed, I mean there are other facts that will turn the connection down, also remember that the ASAS can statefully inspect TCP/UDP (by default)  and ICMP if configured.

2-Yes, they appear there.

3-Correct, if you have a timeout 0 0 that will cause some issues ( No ports available if PAT is being used,etc) as none of the connections are being closed.

Regards,

Julio

Do rate helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

UDP timeout ASA

"There is no need for a connection to be idle in order to be closed, I  mean there are other facts that will turn the connection down,"

Like what?  There is no state information so how does the firewall know the connection is done with?

UDP timeout ASA

Hello,

I think I did not explain my self on the last post I was talking about the behavior of the ASA with a stateful protocol, with the protocol udp the stateful firewall will use the hole punching as the method to detect or keep track of the connection.

Such sessions usually get the ESTABLISHED state immediately after the first packet is seen by the firewal

Sessions in connectionless protocols (like UDP) can only end by time-out.

But the ASA do keep track of these connections as I mention before.


Hope this helps!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
3642
Views
0
Helpful
3
Replies
CreatePlease to create content