Field Notice: FN - 72385 - Firepower Software: TCP Connections Disconnect When Idle Timeout is Configured - Software Upgrade Recommended

Available Languages

Updated:August 16, 2022

Document ID:FN72385

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.0	09-Aug-22	Initial Release

Products Affected

Affected OS Type	Affected Software Product	Affected Release	Affected Release Number	Comments
NON-IOS	Firepower Threat Defense (FTD) Software	7.0	7.0.0, 7.0.0.1, 7.0.1, 7.0.1.1

Defect Information

Defect ID	Headline
CSCvz55395	TCP connections are cleared after configured idle-timeout even though traffic is present

Problem Description

For some versions of Firepower software, active TCP connections can be unexpectedly disconnected after the default idle timeout period of one hour.

Background

The issue can occur during one of the conditions shown here:

The Secure Socket Layer (SSL) policy is configured with one or more decryption rules.
The Transport Layer Security (TLS) server identity discovery/early application detection and URL categorization is enabled in the advanced section of the access control policy.
The identity policy is configured with active authentication that uses the capture portal.

Problem Symptom

Active TCP connections are disconnected after the TCP default idle timeout period of one hour, even though traffic is still present.

The logs will show SYN timeout even for established connections:

Aug 13 2021 14:28:15: %FTD-6-302014: Teardown TCP connection 1823 for INSIDE:192.0.2.50/56154 to OUTSIDE:198.51.100.2/22 duration 1:00:01 bytes 6500 SYN Timeout

Workaround/Solution

Cisco recommends for you to upgrade to Firepower software version 7.0.2 or later in order to resolve the TCP connection issue.

Updated software versions that address this issue are available from the Cisco Software Download Center for your device.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)