1. Home
  2. Cisco Systems
  3. FIN Timeout

FIN Timeout

Hi I have a problem with Cisco Firewall Pix 515E. I setup a FTP service on DMZ zone on Windows 2003 Server. Client can connect to the Ftp service from the Internet, but when he is working on Passive mode client is being disconnected after about 1 minute of inactive. On IIS inactive time is set to 3600 seconds and when I connect from internal site everything is fine- so I think it's a firewall problem. In firewall log I have this:

Built inbound TCP connection 915578 for outside:xx.xx.xx.xx/50601 (xx.xx.xx.xx/50601) to dmz:10.10.10.20/5512 (10.10.10.20/5512)

Teardown TCP connection 915578 for outside:xx.xx.xx.xx/50601 to dmz:10.10.10.20/5512 duration 0:00:01 bytes 20867 TCP FINs

Teardown TCP connection 914797 for outside:xx.xx.xx.xx/50765 to dmz:10.10.10.20/21 duration 0:37:20 bytes 686 FIN Timeout

Do I have something wrong with configuration.

Thank you for help Kevin

Reply to
kevin
Loading thread data ...

Can you mask your real IP addresses in the configuration and post it so that we can look. The "Fin Timeout is a normal function if there is no ACK received (FIN Timeout Force termination after 15 seconds await for last ACK ). Are you using FTP fixup? and what version are you using.

Reply to
Private

That's my config:

PIX Version 6.3(3)

interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 hostname pixfirewall domain-name test.local fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol tftp 69 names access-list dmz-zone permit tcp any host 10.10.10.20 eq www access-list dmz-zone permit tcp any host 10.10.10.20 eq ftp pager lines 24 mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside 192.168.100.2 255.255.255.0 ip address inside 192.168.1.1 255.255.255.0 ip address dmz 10.10.10.10 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 192.168.100.11-192.168.100.50 global (outside) 1 192.168.100.10 global (dmz) 1 10.10.10.50 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (dmz,inside) tcp 10.10.10.20 www netmask 255.255.255.255 0 0 static (dmz,outside) 10.10.10.20 10.10.10.20 netmask 255.255.255.255 0

0 static (inside,outside) 192.168.1.100 192.168.1.100 netmask 255.255.255.255 0 0 access-group dmz-zone in interface outside route outside 0.0.0.0 0.0.0.0 192.168.100.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 1:00:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 1:00:00 absolute uauth 1:00:00 inactivity aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet 192.168.1.0 255.255.255.0 inside telnet timeout 60 ssh timeout 5 console timeout 0 terminal width 80

Ftp service is on standard port 21- active works fine but passive is being disconnected after 1 minute. I setup passive ftp to work on ports

5500-5700. Do I have to setup those ports in configuration? Thank you
Reply to
kevin

I am thinking that the Fixup protocol for Ftp might be causing the issue. If you can try to either disable the fixup for this or add the ports to the fixup for FTP.

Reply to
Private

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.