teleformix
asked on
Dead connection detection
We have a problem. We just built out a brand new center where we deployed a Cisco ASA 5510 firewall. The firewall is great. The problem I have is with an application talking to a database across a policed firewall interface.
webapp -> Cisco ASA 5510 -> informix database server
Basically we have an application sitting in a DMZ that needs to talk to a database on our private network. After a period of time these connection stop working. They are valid connections but they still end up timing out (I don't know how active they are, sometimes I would guess not very). The biggest problem is that to the application these connections appear to be hung and we have to reset the app to recover.
I've read about Cisco's DCD (dead connection detection) and thought this might solve our problem.
Has anyone used this? Am I crazy for thinking this could be our solution? Can someone provide some good examples of how to implement this properly?
Here's a snipit of the ACL we are using. Timeouts are the default - out of the box - settings.
access-list Public_DMZ_access_in line 9 extended permit tcp host <ip_removed> host <ip_removed> eq 2020 (hitcnt=42443)
access-list Public_DMZ_access_in line 10 extended permit tcp host <ip_removed> host <ip_removed> eq 2020 (hitcnt=137)
access-list Public_DMZ_access_in line 11 extended permit tcp host <ip_removed> host <ip_removed> eq 2020 (hitcnt=78)
access-list Public_DMZ_access_in line 12 extended permit tcp host <ip_removed> host <ip_removed> eq 2020 (hitcnt=3787)
access-list Public_DMZ_access_in line 13 extended permit tcp host <ip_removed> host <ip_removed> eq 2020 (hitcnt=766)
access-list Public_DMZ_access_in line 17 extended permit tcp host <ip_removed> host <ip_removed> eq 2020 (hitcnt=0)
access-list Public_DMZ_access_in line 18 extended permit tcp host <ip_removed> host <ip_removed> eq 2020 (hitcnt=0)
access-list Public_DMZ_access_in line 19 extended permit tcp host <ip_removed> host <ip_removed> eq 2020 (hitcnt=430)
access-list Public_DMZ_access_in line 20 extended permit tcp host <ip_removed> host <ip_removed> eq 2020 (hitcnt=1267)
webapp -> Cisco ASA 5510 -> informix database server
Basically we have an application sitting in a DMZ that needs to talk to a database on our private network. After a period of time these connection stop working. They are valid connections but they still end up timing out (I don't know how active they are, sometimes I would guess not very). The biggest problem is that to the application these connections appear to be hung and we have to reset the app to recover.
I've read about Cisco's DCD (dead connection detection) and thought this might solve our problem.
Has anyone used this? Am I crazy for thinking this could be our solution? Can someone provide some good examples of how to implement this properly?
Here's a snipit of the ACL we are using. Timeouts are the default - out of the box - settings.
access-list Public_DMZ_access_in line 9 extended permit tcp host <ip_removed> host <ip_removed> eq 2020 (hitcnt=42443)
access-list Public_DMZ_access_in line 10 extended permit tcp host <ip_removed> host <ip_removed> eq 2020 (hitcnt=137)
access-list Public_DMZ_access_in line 11 extended permit tcp host <ip_removed> host <ip_removed> eq 2020 (hitcnt=78)
access-list Public_DMZ_access_in line 12 extended permit tcp host <ip_removed> host <ip_removed> eq 2020 (hitcnt=3787)
access-list Public_DMZ_access_in line 13 extended permit tcp host <ip_removed> host <ip_removed> eq 2020 (hitcnt=766)
access-list Public_DMZ_access_in line 17 extended permit tcp host <ip_removed> host <ip_removed> eq 2020 (hitcnt=0)
access-list Public_DMZ_access_in line 18 extended permit tcp host <ip_removed> host <ip_removed> eq 2020 (hitcnt=0)
access-list Public_DMZ_access_in line 19 extended permit tcp host <ip_removed> host <ip_removed> eq 2020 (hitcnt=430)
access-list Public_DMZ_access_in line 20 extended permit tcp host <ip_removed> host <ip_removed> eq 2020 (hitcnt=1267)
exclamationsoft
If the webapp uses ODBC (and what doesn't these days) you may also want to turn on ODBC logging to see if there is an error coming back from Informix when the connection is dropped. Just thinking that there may be a problem with Informix and it will eliminate the possiblity of an application/database error or bug.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.