Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
is
New Member

Disabling connection checking for specific network on 515E

Hi everyone,

I'm looking for a way to stop getting the %PIX-6-106015: Deny TCP (no connection) from IP_addr/port to IP_addr/port flags flags on interface int_name. syslog messages.

My users are running a client-server program that initiates a session with the Pix from the client and the program works fine. My users are complaining about the program "kicking them out" and having to start a new session of the program. I believe what's happening is that the connection in the Pix is dropped when the program goes into "sleep mode" -- ie. it minimizes itself and locks until the user who's logged in enters their password (it's a security feature). They can open new sessions, but unlocking the sleeping session just doesn't work.

I have ACLs that allow traffic from the remote site and my internal network (servers) for both my inside interface and the interface they're located on (RemoteConnections). Even if a connection's "dropped", traffic between the servers and their network is completely "open" -- on both interfaces involved.

Is there a way to disable connection (or session) checking for a particular host/network? The description for this problem describes this as occuring when there's no existing TCP connection specified by the SYN flag (and there's no connection in the Pix).

Any help/suggestions would be greatly appreciated!

Tim

1 REPLY
Cisco Employee

Re: Disabling connection checking for specific network on 515E

You can't disable connection checking on the PIX, it's a stateful firewall so that's what it does.

What's happening is that your connection is timing out due to no data being sent over it while the application is in sleep mode. You can increase the TCP timeout on the PIX with the following command:

> timeout conn 3:00:00

This will set the idle connection timeout to 3 hours, you can play around with it to get a suitable time depending on how long your users usually leave their connections idle.

Keep in mind that your xlate timeout should be a little higher than your conn timeout, so if you change the conn timeout to anything higher, change your xlate timeout accordingly.

281
Views
0
Helpful
1
Replies
CreatePlease to create content