THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
|Affected OS Type
|Affected Software Product
|Affected Release Number
Firepower Threat Defense (FTD) Software
7.0.0, 184.108.40.206, 7.0.1, 220.127.116.11
|TCP connections are cleared after configured idle-timeout even though traffic is present
For some versions of Firepower software, active TCP connections can be unexpectedly disconnected after the default idle timeout period of one hour.
The issue can occur during one of the conditions shown here:
- The Secure Socket Layer (SSL) policy is configured with one or more decryption rules.
- The Transport Layer Security (TLS) server identity discovery/early application detection and URL categorization is enabled in the advanced section of the access control policy.
- The identity policy is configured with active authentication that uses the capture portal.
Active TCP connections are disconnected after the TCP default idle timeout period of one hour, even though traffic is still present.
The logs will show SYN timeout even for established connections:
Aug 13 2021 14:28:15: %FTD-6-302014: Teardown TCP connection 1823 for INSIDE:192.0.2.50/56154 to OUTSIDE:198.51.100.2/22 duration 1:00:01 bytes 6500 SYN Timeout
Cisco recommends for you to upgrade to Firepower software version 7.0.2 or later in order to resolve the TCP connection issue.
Updated software versions that address this issue are available from the Cisco Software Download Center for your device.
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.