Solved

Cisco ASA 5505 - Connection from DMZ to internal server closed due to connection timeout

Posted on 2008-10-22
7
3,140 Views
Last Modified: 2008-11-05
Hi!


Our webserver located on the DMZ needs to have a persistent TCP connection to a server located on the inside network.
This connection is a ODBC connection to our database. After 1-2 hours the connection is shutdown by the ASA due to Connection Timout. See log entries below.
I guess it has something to do with timeout connection ?
Is it possible to disable timeouts between two hosts and specified ports?


Log entry;
ct 22 10:18:43 fw0.company.se %ASA-6-302013: Built inbound TCP connection 132988 for dmz:webserver-dmz-ip/1107 (webserver-public-ip/1107) to inside:company-internal-server/2407 (company-internal-server/2407)
Oct 22 10:22:35 fw0.company.se %ASA-6-106015: Deny TCP (no connection) from company-internal-server/2407 to webserver-public-ip/3215 flags ACK  on interface inside
Oct 22 12:29:55 fw0.company.se %ASA-6-302014: Teardown TCP connection 132988 for dmz:webserver-dmz-ip/1107 to inside:company-internal-server/2407 duration 2:11:10 bytes 60135419 Connection timeout
Oct 22 13:20:59 fw0.company.se %ASA-6-106015: Deny TCP (no connection) from webserver-dmz-ip/1107 to company-internal-server/2407 flags PSH ACK  on interface dmz

Running configuration;
fw0# show run
: Saved
:
ASA Version 7.2(4)
!
hostname fw0
domain-name company.se
enable password <removed> encrypted
passwd <removed> encrypted
names
name xxx.xxx.xxx.242 webserver-public-ip description Publik ip till webserver
name 192.168.31.1 company-internal-server description IP till companys interna server
name 192.168.31.250 webserver-inside-ip description Privat IP pa insidan till webserver
name 192.168.0.1 webserver-dmz-ip description Privat IP pa DMZ till webserver
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.31.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.241 255.255.255.192
!
interface Vlan3
 nameif dmz  
 security-level 50
 ip address 192.168.0.254 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
 switchport access vlan 3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
 name-server <removed>
 domain-name company.se
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service web_navision_db tcp
 description Koppling till Navision DB
 port-object eq 2407
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in remark ANY -> WEBSERVER, HTTP
access-list outside_access_in extended permit tcp any host webserver-public-ip eq www
access-list outside_access_in remark ANY -> ANY, ICMP ECHO-REQUEST
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in remark ANY -> ANY, ICMP ECHO-REPLY
access-list outside_access_in extended permit icmp any any echo-reply
access-list inside_access_in remark DMZ -> INSIDE, ICMP ECHO-REPLY
access-list inside_access_in extended permit icmp any 192.168.31.0 255.255.255.0 echo-reply
access-list inside_access_in remark WEBSERVER -> INTERN SERVER, TCP/2407
access-list inside_access_in extended permit tcp host webserver-dmz-ip host company-internal-server eq 2407
access-list inside_access_in remark INSIDE -> DMZ, ICMP-ECHO REQUEST
access-list inside_access_in extended permit icmp 192.168.31.0 255.255.255.0 any echo
access-list inside_access_in remark INSIDE -> OUTSIDE, ANY
access-list inside_access_in extended permit ip 192.168.31.0 255.255.255.0 any
access-list dmz_access_in remark ANY -> DMZ, ICMP-ECHO REQUEST
access-list dmz_access_in extended permit icmp 192.168.31.0 255.255.255.0 192.168.0.0 255.255.255.0 echo
access-list dmz_access_in remark INSIDE -> DMZ, ANY
access-list dmz_access_in extended permit ip 192.168.31.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list dmz_access_in remark DMZ ->ANY, ICMP-ECHO REPLY
access-list dmz_access_in extended permit icmp 192.168.0.0 255.255.255.0 any echo-reply
access-list dmz_access_in remark DMZ -> OUTSIDE, ANY TEMP
access-list dmz_access_in extended permit ip 192.168.0.0 255.255.255.0 any
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging host inside 192.168.31.50
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) webserver-public-ip webserver-dmz-ip netmask 255.255.255.255
static (dmz,inside) webserver-public-ip webserver-dmz-ip netmask 255.255.255.255
static (inside,dmz) 192.168.31.0 192.168.31.0 netmask 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.31.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.31.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.31.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 193.13.74.241
!
dhcpd address 192.168.31.110-192.168.31.189 inside
dhcpd dns <removed> <removed> interface inside
dhcpd lease 86400 interface inside
dhcpd domain company.se interface inside
dhcpd enable inside
!

username admin password <removed> encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect http
  inspect ctiqbe
  inspect dcerpc
  inspect dns
  inspect esmtp
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect icmp
  inspect icmp error
  inspect ils
  inspect ipsec-pass-thru
  inspect mgcp
  inspect netbios
  inspect pptp
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect snmp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect waas
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:<removed>
: end


Thanks in advance.
CJ
0
Comment
Question by:mpwizard
  • 4
  • 3
7 Comments
 
LVL 32

Accepted Solution

by:
harbor235 earned 500 total points
Comment Utility


The reason the flow is terminated is because of inactivity, on the remote side you need to program a tcp NOOP command to be executed at a set time to keep the flow active. This could be a scripted on the remote end via cron and wget etc ....

harbor235 ;}

0
 

Author Comment

by:mpwizard
Comment Utility
So it should be sufficient to use for example a telnet client on dmz connecting to a server on the inside and immediately disconnecting the connection every 10-15 minutes?

How about policy-maps?
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080624e19.shtml

0
 
LVL 32

Expert Comment

by:harbor235
Comment Utility


Sure, but think about what is going on here, if you increase the timeouts, which means you will keep more flows in your table for a longer time then your security posture is weakened because anyone can now open connections to your inside boxes, terminate them and open more and your FW will not age them out. You use more resouorces and set yourself up for DOS attacks based on resource depletion.

The changes you make effect the application is general, I am not saying do not do it i am saying be careful ant think of the outcome. Trying to do something on the remote end for the one TCP session will not impact the rest of the resources on the firewall like increasing the timers.

harbor235 ;}
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:mpwizard
Comment Utility
Just for clarification; when the ASA tears down a TCP connection due to inactivity, does it send FIN to both endpoints?

Something I wonder about your suggested method; I can't be sure that I "refresh" the right connection because the ODBC driver may have opened multiple connections to the database server?

0
 
LVL 32

Expert Comment

by:harbor235
Comment Utility


It's not a proxy it does however perform sequence number randomization for security purposes. So it inspects and passess the traffic through if it is allowed via the security policy and if it expects that traffic in the flow.

i.e you cannot send a FIN through a FW if ther is no flow, it expects the syn, syn ack, ack to be there first

Why does the connection have to stay up? Like I said you can change the timeouts but you are leaving yourself open or you are weakening your security posture.

harbor235 ;}
0
 

Author Comment

by:mpwizard
Comment Utility
Why it has to stay up is because some bug in the Navision ODBC driver or in the "php application" used for the site.
We use SiteDirect as web publishing tool, it is a web/PHP based tool.

It seems that ODBC driver doesn't realize that the connection has been torn down because it just keeps on sending data. Normal behaviour should be that ODBC should start up a new connection.
When this happen our customers can't use the webshop and we've to manually restart IIS.  
0
 

Author Comment

by:mpwizard
Comment Utility
I updated the ODBC driver and now it seems to work without increasing the time-out.

0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now