Cisco ASA 5505 - Connection from DMZ to internal server closed due to connection timeout

Posted on 2008-10-22
Medium Priority
Last Modified: 2008-11-05

Our webserver located on the DMZ needs to have a persistent TCP connection to a server located on the inside network.
This connection is a ODBC connection to our database. After 1-2 hours the connection is shutdown by the ASA due to Connection Timout. See log entries below.
I guess it has something to do with timeout connection ?
Is it possible to disable timeouts between two hosts and specified ports?

Log entry;
ct 22 10:18:43 fw0.company.se %ASA-6-302013: Built inbound TCP connection 132988 for dmz:webserver-dmz-ip/1107 (webserver-public-ip/1107) to inside:company-internal-server/2407 (company-internal-server/2407)
Oct 22 10:22:35 fw0.company.se %ASA-6-106015: Deny TCP (no connection) from company-internal-server/2407 to webserver-public-ip/3215 flags ACK  on interface inside
Oct 22 12:29:55 fw0.company.se %ASA-6-302014: Teardown TCP connection 132988 for dmz:webserver-dmz-ip/1107 to inside:company-internal-server/2407 duration 2:11:10 bytes 60135419 Connection timeout
Oct 22 13:20:59 fw0.company.se %ASA-6-106015: Deny TCP (no connection) from webserver-dmz-ip/1107 to company-internal-server/2407 flags PSH ACK  on interface dmz

Running configuration;
fw0# show run
: Saved
ASA Version 7.2(4)
hostname fw0
domain-name company.se
enable password <removed> encrypted
passwd <removed> encrypted
name xxx.xxx.xxx.242 webserver-public-ip description Publik ip till webserver
name company-internal-server description IP till companys interna server
name webserver-inside-ip description Privat IP pa insidan till webserver
name webserver-dmz-ip description Privat IP pa DMZ till webserver
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.241
interface Vlan3
 nameif dmz  
 security-level 50
 ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
 switchport access vlan 2
interface Ethernet0/2
 switchport access vlan 3
interface Ethernet0/3
 switchport access vlan 3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
 name-server <removed>
 domain-name company.se
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service web_navision_db tcp
 description Koppling till Navision DB
 port-object eq 2407
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in remark ANY -> WEBSERVER, HTTP
access-list outside_access_in extended permit tcp any host webserver-public-ip eq www
access-list outside_access_in remark ANY -> ANY, ICMP ECHO-REQUEST
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in remark ANY -> ANY, ICMP ECHO-REPLY
access-list outside_access_in extended permit icmp any any echo-reply
access-list inside_access_in remark DMZ -> INSIDE, ICMP ECHO-REPLY
access-list inside_access_in extended permit icmp any echo-reply
access-list inside_access_in remark WEBSERVER -> INTERN SERVER, TCP/2407
access-list inside_access_in extended permit tcp host webserver-dmz-ip host company-internal-server eq 2407
access-list inside_access_in remark INSIDE -> DMZ, ICMP-ECHO REQUEST
access-list inside_access_in extended permit icmp any echo
access-list inside_access_in remark INSIDE -> OUTSIDE, ANY
access-list inside_access_in extended permit ip any
access-list dmz_access_in remark ANY -> DMZ, ICMP-ECHO REQUEST
access-list dmz_access_in extended permit icmp echo
access-list dmz_access_in remark INSIDE -> DMZ, ANY
access-list dmz_access_in extended permit ip
access-list dmz_access_in remark DMZ ->ANY, ICMP-ECHO REPLY
access-list dmz_access_in extended permit icmp any echo-reply
access-list dmz_access_in remark DMZ -> OUTSIDE, ANY TEMP
access-list dmz_access_in extended permit ip any
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging host inside
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
static (dmz,outside) webserver-public-ip webserver-dmz-ip netmask
static (dmz,inside) webserver-public-ip webserver-dmz-ip netmask
static (inside,dmz) netmask
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside xxx.xxx.xxx.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet inside
telnet timeout 5
ssh inside
ssh timeout 5
console timeout 0
dhcpd dns
dhcpd address inside
dhcpd dns <removed> <removed> interface inside
dhcpd lease 86400 interface inside
dhcpd domain company.se interface inside
dhcpd enable inside

username admin password <removed> encrypted privilege 15
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect http
  inspect ctiqbe
  inspect dcerpc
  inspect dns
  inspect esmtp
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect icmp
  inspect icmp error
  inspect ils
  inspect ipsec-pass-thru
  inspect mgcp
  inspect netbios
  inspect pptp
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect snmp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect waas
  inspect xdmcp
service-policy global_policy global
prompt hostname context
: end

Thanks in advance.
Question by:mpwizard
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 32

Accepted Solution

harbor235 earned 1500 total points
ID: 22776840

The reason the flow is terminated is because of inactivity, on the remote side you need to program a tcp NOOP command to be executed at a set time to keep the flow active. This could be a scripted on the remote end via cron and wget etc ....

harbor235 ;}


Author Comment

ID: 22777103
So it should be sufficient to use for example a telnet client on dmz connecting to a server on the inside and immediately disconnecting the connection every 10-15 minutes?

How about policy-maps?

LVL 32

Expert Comment

ID: 22777505

Sure, but think about what is going on here, if you increase the timeouts, which means you will keep more flows in your table for a longer time then your security posture is weakened because anyone can now open connections to your inside boxes, terminate them and open more and your FW will not age them out. You use more resouorces and set yourself up for DOS attacks based on resource depletion.

The changes you make effect the application is general, I am not saying do not do it i am saying be careful ant think of the outcome. Trying to do something on the remote end for the one TCP session will not impact the rest of the resources on the firewall like increasing the timers.

harbor235 ;}
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 22784203
Just for clarification; when the ASA tears down a TCP connection due to inactivity, does it send FIN to both endpoints?

Something I wonder about your suggested method; I can't be sure that I "refresh" the right connection because the ODBC driver may have opened multiple connections to the database server?

LVL 32

Expert Comment

ID: 22786181

It's not a proxy it does however perform sequence number randomization for security purposes. So it inspects and passess the traffic through if it is allowed via the security policy and if it expects that traffic in the flow.

i.e you cannot send a FIN through a FW if ther is no flow, it expects the syn, syn ack, ack to be there first

Why does the connection have to stay up? Like I said you can change the timeouts but you are leaving yourself open or you are weakening your security posture.

harbor235 ;}

Author Comment

ID: 22786721
Why it has to stay up is because some bug in the Navision ODBC driver or in the "php application" used for the site.
We use SiteDirect as web publishing tool, it is a web/PHP based tool.

It seems that ODBC driver doesn't realize that the connection has been torn down because it just keeps on sending data. Normal behaviour should be that ODBC should start up a new connection.
When this happen our customers can't use the webshop and we've to manually restart IIS.  

Author Comment

ID: 22830317
I updated the ODBC driver and now it seems to work without increasing the time-out.


Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question