My PIX 515 connection timeout is set to default 1 hour. I have a connection between my inside host and an outside host. This connection will last forever. However, this traffic volume is very low. The connection will idle for more than 10 hours. At the moment, the connection keeps dropping out. The fixed is to restart the connection on the servers.
My question is after the pix connection timeout, the traffic between the servers will be blocked because the connections for the servers on the connection table of the PIX is removed.
Hi .. the connection will be closed only if the connection has been idle for one hour ( in your case). The connection will still opened as long as there is traffic passing throught. If you see the connection droping even thought you knkow it should not then you might be having physical issue here. Check the statuc of the interfaces on the PIX and also check the ports where the servers are connected .. you must have a local switch make sure you are not having errors on it or duplex mismatches.
If you open a connection and no traffic passes over it for whatever the pix/asa/fwsm timeout value is, then the pix will close the connection. Any new traffic from one host to the other would be dropped unless it was the establishment of a new connection.
You need to do 1 of 3 things:
1) Somehow configure your connection to send traffic more frequently, keeping it alive.
2) Configure your connection to close and restart periodically, under the timeout limit in the pix.
3) Configure the pix with a timeout value that is greather than the time between when those hosts are sending traffic to each other.
You have to be careful of #3 - If you increase that value too much you run the risk of filling up your connection table, depending on how much throughput you have on your firewall.
Don't forget to configure your xlate timeout to match your connection timeout.
We have seen similar behavior here. Using Wireshark, windump or tcpdump we found that one particular application we use would initiate two TCP connections.
Connection 1 would attach to a license manager and would send traffic every 2-3 minutes.
Connection 2 would attach to a database and only send TCP traffic when the user (via the application UI) would request data.
When the user went to lunch, Connection 2 would be idle for over an hour. During that time, a firewall or IOS router with firewall feature set would tear down the connection.
Upon returning from lunch, the user would request data from the application and receive an application error.
On the network we would see a TCP PSH from the client to the server (not a SYN,SYN/ACK,ACK) followed immediately by a TCP RST from the server to the client.
We have not isolated who was sending the TCP RST (firewall or router). We do know the RST did not come from the server, so has to come from a device between the client and server.
My theory is that the 'after lunch PSH' was viewed as malicious because it did not associate with a known connection (it was torn down per an idle timeout) and this device sent the RST to close the client connection.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...