Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3244
  • Last Modified:

Cisco ASA 5505 - Connection from DMZ to internal server closed due to connection timeout


Our webserver located on the DMZ needs to have a persistent TCP connection to a server located on the inside network.
This connection is a ODBC connection to our database. After 1-2 hours the connection is shutdown by the ASA due to Connection Timout. See log entries below.
I guess it has something to do with timeout connection ?
Is it possible to disable timeouts between two hosts and specified ports?

Log entry;
ct 22 10:18:43 fw0.company.se %ASA-6-302013: Built inbound TCP connection 132988 for dmz:webserver-dmz-ip/1107 (webserver-public-ip/1107) to inside:company-internal-server/2407 (company-internal-server/2407)
Oct 22 10:22:35 fw0.company.se %ASA-6-106015: Deny TCP (no connection) from company-internal-server/2407 to webserver-public-ip/3215 flags ACK  on interface inside
Oct 22 12:29:55 fw0.company.se %ASA-6-302014: Teardown TCP connection 132988 for dmz:webserver-dmz-ip/1107 to inside:company-internal-server/2407 duration 2:11:10 bytes 60135419 Connection timeout
Oct 22 13:20:59 fw0.company.se %ASA-6-106015: Deny TCP (no connection) from webserver-dmz-ip/1107 to company-internal-server/2407 flags PSH ACK  on interface dmz

Running configuration;
fw0# show run
: Saved
ASA Version 7.2(4)
hostname fw0
domain-name company.se
enable password <removed> encrypted
passwd <removed> encrypted
name xxx.xxx.xxx.242 webserver-public-ip description Publik ip till webserver
name company-internal-server description IP till companys interna server
name webserver-inside-ip description Privat IP pa insidan till webserver
name webserver-dmz-ip description Privat IP pa DMZ till webserver
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.241
interface Vlan3
 nameif dmz  
 security-level 50
 ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
 switchport access vlan 2
interface Ethernet0/2
 switchport access vlan 3
interface Ethernet0/3
 switchport access vlan 3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
 name-server <removed>
 domain-name company.se
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service web_navision_db tcp
 description Koppling till Navision DB
 port-object eq 2407
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in remark ANY -> WEBSERVER, HTTP
access-list outside_access_in extended permit tcp any host webserver-public-ip eq www
access-list outside_access_in remark ANY -> ANY, ICMP ECHO-REQUEST
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in remark ANY -> ANY, ICMP ECHO-REPLY
access-list outside_access_in extended permit icmp any any echo-reply
access-list inside_access_in remark DMZ -> INSIDE, ICMP ECHO-REPLY
access-list inside_access_in extended permit icmp any echo-reply
access-list inside_access_in remark WEBSERVER -> INTERN SERVER, TCP/2407
access-list inside_access_in extended permit tcp host webserver-dmz-ip host company-internal-server eq 2407
access-list inside_access_in remark INSIDE -> DMZ, ICMP-ECHO REQUEST
access-list inside_access_in extended permit icmp any echo
access-list inside_access_in remark INSIDE -> OUTSIDE, ANY
access-list inside_access_in extended permit ip any
access-list dmz_access_in remark ANY -> DMZ, ICMP-ECHO REQUEST
access-list dmz_access_in extended permit icmp echo
access-list dmz_access_in remark INSIDE -> DMZ, ANY
access-list dmz_access_in extended permit ip
access-list dmz_access_in remark DMZ ->ANY, ICMP-ECHO REPLY
access-list dmz_access_in extended permit icmp any echo-reply
access-list dmz_access_in remark DMZ -> OUTSIDE, ANY TEMP
access-list dmz_access_in extended permit ip any
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging host inside
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
static (dmz,outside) webserver-public-ip webserver-dmz-ip netmask
static (dmz,inside) webserver-public-ip webserver-dmz-ip netmask
static (inside,dmz) netmask
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside xxx.xxx.xxx.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet inside
telnet timeout 5
ssh inside
ssh timeout 5
console timeout 0
dhcpd dns
dhcpd address inside
dhcpd dns <removed> <removed> interface inside
dhcpd lease 86400 interface inside
dhcpd domain company.se interface inside
dhcpd enable inside

username admin password <removed> encrypted privilege 15
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect http
  inspect ctiqbe
  inspect dcerpc
  inspect dns
  inspect esmtp
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect icmp
  inspect icmp error
  inspect ils
  inspect ipsec-pass-thru
  inspect mgcp
  inspect netbios
  inspect pptp
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect snmp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect waas
  inspect xdmcp
service-policy global_policy global
prompt hostname context
: end

Thanks in advance.
  • 4
  • 3
1 Solution

The reason the flow is terminated is because of inactivity, on the remote side you need to program a tcp NOOP command to be executed at a set time to keep the flow active. This could be a scripted on the remote end via cron and wget etc ....

harbor235 ;}

mpwizardAuthor Commented:
So it should be sufficient to use for example a telnet client on dmz connecting to a server on the inside and immediately disconnecting the connection every 10-15 minutes?

How about policy-maps?


Sure, but think about what is going on here, if you increase the timeouts, which means you will keep more flows in your table for a longer time then your security posture is weakened because anyone can now open connections to your inside boxes, terminate them and open more and your FW will not age them out. You use more resouorces and set yourself up for DOS attacks based on resource depletion.

The changes you make effect the application is general, I am not saying do not do it i am saying be careful ant think of the outcome. Trying to do something on the remote end for the one TCP session will not impact the rest of the resources on the firewall like increasing the timers.

harbor235 ;}
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

mpwizardAuthor Commented:
Just for clarification; when the ASA tears down a TCP connection due to inactivity, does it send FIN to both endpoints?

Something I wonder about your suggested method; I can't be sure that I "refresh" the right connection because the ODBC driver may have opened multiple connections to the database server?


It's not a proxy it does however perform sequence number randomization for security purposes. So it inspects and passess the traffic through if it is allowed via the security policy and if it expects that traffic in the flow.

i.e you cannot send a FIN through a FW if ther is no flow, it expects the syn, syn ack, ack to be there first

Why does the connection have to stay up? Like I said you can change the timeouts but you are leaving yourself open or you are weakening your security posture.

harbor235 ;}
mpwizardAuthor Commented:
Why it has to stay up is because some bug in the Navision ODBC driver or in the "php application" used for the site.
We use SiteDirect as web publishing tool, it is a web/PHP based tool.

It seems that ODBC driver doesn't realize that the connection has been torn down because it just keeps on sending data. Normal behaviour should be that ODBC should start up a new connection.
When this happen our customers can't use the webshop and we've to manually restart IIS.  
mpwizardAuthor Commented:
I updated the ODBC driver and now it seems to work without increasing the time-out.


Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now