UDP and CBAC
Unlike TCP, UDP is a connectionless protocol. Hence, CBAC's generic UDP inspection cannot detect when a client connection request is satisfied. Therefore, generic UDP inspection simply creates a channel when it recognizes the first request packet from the client, and keeps that channel open until no traffic has been detected between the client and the server for a set time. This approximates session maintenance. To turn on UDP inspection, use the ip inspect myfw UDP command in the global configuration mode (myfw is the name of the inspection rule). Although approximation of UDP connections works most of the time, it may fail in one of the two following ways:
-
It can keep the channel open for too long, which may use the router's memory unnecessarily.
-
It may close the channel too soon. If the client and server do not communicate for a long time, and UDP timeout value elapses, CBAC closes the channel, even though the application may not be finished with the conversation.