Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Nikolaos_Liakop
Explorer

TCP Connection drops after a while on a IBM AS/400

We have an issue regarding a specific connection on a S2S VPN between a CP cluster and Cisco ASA.
Specifically, whilst the tunnel poses no issues and everything seems to be fine, an IBM AS/400 server is behind the CP and the clients accessing it are behind the ASA.
The clients complain that the sessions all of a sudden close after an arbitrary amount of time.
I have proceeded with creating a new telnet service with the following characteristics, but the issue seems to still occur.

new_telnet.png

Any ideas ?

Regards

0 Kudos
4 Replies
Alex-
Advisor
Advisor

Check your IPS if you run it and core protections. I had AS/400 connections blocked because Telnet is considered insecure and blocked by this blade and needed to configure exceptions.

Also, there's obviously the ASA side which might not match your protocol definitions.

 

0 Kudos
Nikolaos_Liakop
Explorer

It is not an IPS issue.

The connection gets established.

However after some arbitrary time the connections gets droppped and they need to relogin...

Protocol is telnet

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Arbitrary like when the firewall policy is installed or when a rekey occurs for the VPN?

CCSM R77/R80/ELITE
0 Kudos
Timothy_Hall
Champion
Champion

As Chris said this is probably related to the VPN more than the basic session timeouts, but try enabling TCP state logging to obtain more details about how and why your telnet connections are being terminated: 

sk101221: TCP state logging

Is there some particular reason you are not synchronizing the telnet sessions across the cluster members?  If deployed as shown in your screenshot a failover will cause all of the currently open telnet sessions to be killed on the newly active member.

Also note that the TCP connection timeout can now be increased well beyond 86400 seconds if you have the latest Jumbo HFA: sk168872: Virtual session timeout for a TCP Service (86400 seconds) is not long enough for a specifi...

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events