[c-nsp] Timeout value on ASA
David White, Jr. (dwhitejr)
dwhitejr at cisco.com
Tue May 8 18:19:57 EDT 2012
An alternative is to use Dead Connection Detection (DCD) on the ASA to
validate if both endpoints on the idle connection are still alive, and
if so reset the idle timeout, else tear it down.
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns_connlimits.html#wp1080752
Additionally, one point for Peter. Increasing the idle conn timeout
does not require you to increase the xlate timeout. The xlate timeout
only takes effect once all conns associated to that xlate no longer exist.
Sincerely,
David.
Peter Rathlev wrote:
> Hi Judith,
>
> On Tue, 2012-05-08 at 19:16 +0000, Judith Sanders wrote:
>
>> I have a Cisco ASA5520-I have an established VPN with a third party
>> vendor. We are running applications over this tunnel and experiencing
>> timeouts. The tunnel never drops, just the application. I know that
>> there are default timeouts set on the ASA for certain protocols, but
>> if the tunnel is established, would it not be an application issue and
>> not a firewall/VPN timeout issue?
>>
>
> The ASA defaults for TCP timeouts (1 hour IIRC) are not compliant with
> RFC 5782 "NAT Behavioral Requirements for TCP", a BCP. It specifies that
> the timeout "MUST NOT be less than 2 hours 4 minutes". Use "timeout conn
> 2:04:00" on the ASA to adjust. You might also want to consider adjusting
> the "timeout xlate" upwards at the same time.
>
> Informational level debugging can tell you if and why the ASA have torn
> down a session; the "ASA-6-302014" messsage ("Teardown TCP ...") states
> the specific reason. Look for "Conn-timeout", meaning that the TCP
> connection has been idle for too long and is therefore closed.
>
> Even with a 2:04:00 timeout you still need to convince the application
> developers to actually use TCP Keep-Alives. We have been forced to apply
> a 24 hour timeout for certain connections because the developers
> couldn't/wouldn't use Keep-Alives. A policy-map can select just the
> right connections, so you avoid a long timeout for every connection
> through the ASA.
>
>
More information about the cisco-nsp
mailing list