FIN Timeout|
|
|
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||
|
Posted by on August 26, 2005, 1:18 pm
Please log in for more thread options
Hi I have a problem with Cisco Firewall Pix 515E. I setup a FTP service on DMZ zone on Windows 2003 Server. Client can connect to the Ftp service from the Internet, but when he is working on Passive mode client is being disconnected after about 1 minute of inactive. On IIS inactive time is set to 3600 seconds and when I connect from internal site everything is fine- so I think it's a firewall problem. In firewall log I have this: Built inbound TCP connection 915578 for outside:xx.xx.xx.xx/50601 (xx.xx.xx.xx/50601) to dmz:10.10.10.20/5512 (10.10.10.20/5512) Teardown TCP connection 915578 for outside:xx.xx.xx.xx/50601 to dmz:10.10.10.20/5512 duration 0:00:01 bytes 20867 TCP FINs Teardown TCP connection 914797 for outside:xx.xx.xx.xx/50765 to dmz:10.10.10.20/21 duration 0:37:20 bytes 686 FIN Timeout Do I have something wrong with configuration. Thank you for help Kevin | |||||||||||||||||||
|
Posted by Private on August 26, 2005, 6:43 pm
Please log in for more thread options kevin@allgraniteandmarble.com wrote: that we can look. The "Fin Timeout is a normal function if there is no ACK received (FIN Timeout Force termination after 15 seconds await for last ACK ). Are you using FTP fixup? and what version are you using. | |||||||||||||||||||
|
Posted by on August 27, 2005, 4:22 am
Please log in for more thread options
That's my config: PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 hostname pixfirewall domain-name test.local fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol tftp 69 names access-list dmz-zone permit tcp any host 10.10.10.20 eq www access-list dmz-zone permit tcp any host 10.10.10.20 eq ftp pager lines 24 mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside 192.168.100.2 255.255.255.0 ip address inside 192.168.1.1 255.255.255.0 ip address dmz 10.10.10.10 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 192.168.100.11-192.168.100.50 global (outside) 1 192.168.100.10 global (dmz) 1 10.10.10.50 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (dmz,inside) tcp 10.10.10.20 www netmask 255.255.255.255 0 0 static (dmz,outside) 10.10.10.20 10.10.10.20 netmask 255.255.255.255 0 0 static (inside,outside) 192.168.1.100 192.168.1.100 netmask 255.255.255.255 0 0 access-group dmz-zone in interface outside route outside 0.0.0.0 0.0.0.0 192.168.100.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 1:00:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 1:00:00 absolute uauth 1:00:00 inactivity aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet 192.168.1.0 255.255.255.0 inside telnet timeout 60 ssh timeout 5 console timeout 0 terminal width 80 Ftp service is on standard port 21- active works fine but passive is being disconnected after 1 minute. I setup passive ftp to work on ports 5500-5700. Do I have to setup those ports in configuration? Thank you | |||||||||||||||||||
|
Posted by Private on August 27, 2005, 7:22 pm
Please log in for more thread options
kevin@allgraniteandmarble.com wrote: > That's my config:
I am thinking that the Fixup protocol for Ftp might be causing the
> > PIX Version 6.3(3) > > interface ethernet0 auto > interface ethernet1 auto > interface ethernet2 auto > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > nameif ethernet2 dmz security50 > hostname pixfirewall > domain-name test.local > fixup protocol dns maximum-length 512 > fixup protocol ftp 21 > fixup protocol h323 h225 1720 > fixup protocol h323 ras 1718-1719 > fixup protocol http 80 > fixup protocol rsh 514 > fixup protocol rtsp 554 > fixup protocol sip 5060 > fixup protocol sip udp 5060 > fixup protocol skinny 2000 > fixup protocol smtp 25 > fixup protocol tftp 69 > names > access-list dmz-zone permit tcp any host 10.10.10.20 eq www > access-list dmz-zone permit tcp any host 10.10.10.20 eq ftp > pager lines 24 > mtu outside 1500 > mtu inside 1500 > mtu dmz 1500 > ip address outside 192.168.100.2 255.255.255.0 > ip address inside 192.168.1.1 255.255.255.0 > ip address dmz 10.10.10.10 255.255.255.0 > ip audit info action alarm > ip audit attack action alarm > pdm history enable > arp timeout 14400 > global (outside) 1 192.168.100.11-192.168.100.50 > global (outside) 1 192.168.100.10 > global (dmz) 1 10.10.10.50 > nat (inside) 1 0.0.0.0 0.0.0.0 0 0 > static (dmz,inside) tcp 10.10.10.20 www netmask 255.255.255.255 0 0 > static (dmz,outside) 10.10.10.20 10.10.10.20 netmask 255.255.255.255 0 > 0 > static (inside,outside) 192.168.1.100 192.168.1.100 netmask > 255.255.255.255 0 0 > access-group dmz-zone in interface outside > route outside 0.0.0.0 0.0.0.0 192.168.100.1 1 > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 1:00:00 rpc 0:10:00 h225 > 1:00:00 > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 > timeout uauth 1:00:00 absolute uauth 1:00:00 inactivity > aaa-server TACACS+ protocol tacacs+ > aaa-server RADIUS protocol radius > aaa-server LOCAL protocol local > no snmp-server location > no snmp-server contact > snmp-server community public > no snmp-server enable traps > floodguard enable > telnet 192.168.1.0 255.255.255.0 inside > telnet timeout 60 > ssh timeout 5 > console timeout 0 > terminal width 80 > > Ftp service is on standard port 21- active works fine but passive is > being disconnected after 1 minute. I setup passive ftp to work on ports > 5500-5700. > Do I have to setup those ports in configuration? > Thank you > issue. If you can try to either disable the fixup for this or add the ports to the fixup for FTP. | |||||||||||||||||||
| Similar Threads | Posted |
| FIN Timeout | August 26, 2005, 1:18 pm |
| VPN Timeout | October 18, 2005, 1:57 pm |
| NAT timeout | June 6, 2006, 3:01 pm |
| Cisco SDM timeout | April 19, 2007, 2:09 pm |
| timeout xlate BCP | August 30, 2007, 11:28 am |
| FWSM - SAP timeout ? | April 7, 2008, 3:26 pm |
| tftp timeout | June 5, 2009, 9:58 pm |
| exec-timeout on line | November 29, 2005, 11:44 am |
| re:LOCK OBTAIN TIMEOUT | January 14, 2006, 10:15 pm |
| question about timeout conn | April 21, 2006, 11:50 am |
| question about timeout conn | April 21, 2006, 11:55 am |
| Ike phase 1 rekey & timeout | March 18, 2008, 2:51 pm |
| AS5800 and Idle-Timeout Issue | December 1, 2005, 3:21 pm |
| 120 sec. request timeout in acns 3.1 (proxy) | November 3, 2006, 6:02 am |
| Dialer Idle Timeout Not Working | June 16, 2007, 12:06 pm |
|
Home Cabling GuideFinally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language! Learn More |
> I have a problem with Cisco Firewall Pix 515E.
> I setup a FTP service on DMZ zone on Windows 2003 Server.
> Client can connect to the Ftp service from the Internet, but when he is
> working on Passive mode client is being disconnected after about 1
> minute of inactive.
> On IIS inactive time is set to 3600 seconds and when I connect from
> internal site everything is fine- so I think it's a firewall problem.
> In firewall log I have this:
>
> Built inbound TCP connection 915578 for outside:xx.xx.xx.xx/50601
> (xx.xx.xx.xx/50601) to dmz:10.10.10.20/5512 (10.10.10.20/5512)
>
> Teardown TCP connection 915578 for outside:xx.xx.xx.xx/50601 to
> dmz:10.10.10.20/5512 duration 0:00:01 bytes 20867 TCP FINs
>
> Teardown TCP connection 914797 for outside:xx.xx.xx.xx/50765 to
> dmz:10.10.10.20/21 duration 0:37:20 bytes 686 FIN Timeout
>
> Do I have something wrong with configuration.
>
> Thank you for help
> Kevin
>