We have a vendor network connected to a DMZ interface on a PIX 515.
THe PIX interface (DMZ2) is addressed on the same subnet as the ethernet interface of the vendor network.
One of teh applications in use, utilizes a "persitent" TCP connection to a pecific port on the vendor (server) side.
We found that after approx 1 hour the connection between client and server would drop. Although the application appeared to be up, no data would pass.
Upon troubleshooting, we noticed a TCP RST from the vendor server. This was captured on an interior Checkpoint Firewall. The RST packet appeared to be coming from the IP address of the server. Further troubleshooting revealed that the packet was originating from the PIX firewall.
Is this expected behavior? after increasing the TCP timout setting, the problem went away.
It seems like the PIX is resetting the connection based on the default connection timeoute setting. By default, and idle TCP connections will be reset after one hour. You can adjust this timeout setting witht he 'timeout conn' command. You can verify that this is the issue by reviewing the syslog messages at level 6. If you see the connection teardown message stating connection timeout, then you have the culprit.
It is normal behavior for the Pix to timeout and close inactive sessions. If the pix does not move any data for the connection, it will be considered idle and timeout according to the default entries shown by [show timeout].
If the pix did not time out inactive sessions, the connection table would continue to grow until the pix exhausted all its memory. This normal behavior for all firewalls to prevent this problem.
What type of OS are the client and server? If it's *nix, you can configure keepalives to prevent this. If it's Windows, you probably screwed.
Do you expect your application to be quiet for periods longer than 30 minutes? That is the default timer for connected sessions. You can increase it, but be careful about making too long. This will be based on the firewall model, available RAM, and the number of sessions it must normally deal with.
[timeoute conn 1:00:00] would increase it to one hour.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :