Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2256
Views
3
Helpful
4
Replies

TCP Connection timeout

hinesd
Level 1
Level 1

‎06-02-2003 10:02 AM - edited ‎03-09-2019 03:30 AM

We have a vendor network connected to a DMZ interface on a PIX 515.

THe PIX interface (DMZ2) is addressed on the same subnet as the ethernet interface of the vendor network.

One of teh applications in use, utilizes a "persitent" TCP connection to a pecific port on the vendor (server) side.

We found that after approx 1 hour the connection between client and server would drop. Although the application appeared to be up, no data would pass.

Upon troubleshooting, we noticed a TCP RST from the vendor server. This was captured on an interior Checkpoint Firewall. The RST packet appeared to be coming from the IP address of the server. Further troubleshooting revealed that the packet was originating from the PIX firewall.

Is this expected behavior? after increasing the TCP timout setting, the problem went away.

Labels:
0 Helpful
4 Replies 4

msitzman
Cisco Employee
Cisco Employee

‎06-02-2003 01:18 PM

It seems like the PIX is resetting the connection based on the default connection timeoute setting. By default, and idle TCP connections will be reset after one hour. You can adjust this timeout setting witht he 'timeout conn' command. You can verify that this is the issue by reviewing the syslog messages at level 6. If you see the connection teardown message stating connection timeout, then you have the culprit.

Marcus

0 Helpful

hinesd
Level 1
Level 1
In response to msitzman

‎06-02-2003 05:05 PM

Marcus,

thanks for the reply. I will run the syslog,but is this expected behavior, for the PIX to offer the RST on behalf of the far end host?

0 Helpful

msitzman
Cisco Employee
Cisco Employee
In response to hinesd

‎06-03-2003 08:12 AM

I would not expect the PIX to do anything but simply close it's conn. The PIX will start resetting conns if the host hits limits in the number of embryonic or established connections.

The syslog messages will indicate this as well...

Marcus

0 Helpful

shannong
Level 4
Level 4
In response to msitzman

‎06-03-2003 03:37 PM

It is normal behavior for the Pix to timeout and close inactive sessions. If the pix does not move any data for the connection, it will be considered idle and timeout according to the default entries shown by [show timeout].

If the pix did not time out inactive sessions, the connection table would continue to grow until the pix exhausted all its memory. This normal behavior for all firewalls to prevent this problem.

What type of OS are the client and server? If it's *nix, you can configure keepalives to prevent this. If it's Windows, you probably screwed.

Do you expect your application to be quiet for periods longer than 30 minutes? That is the default timer for connected sessions. You can increase it, but be careful about making too long. This will be based on the firewall model, available RAM, and the number of sessions it must normally deal with.

[timeoute conn 1:00:00] would increase it to one hour.

-Shannon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents