[c-nsp] Timeout value on ASA

Peter Rathlev peter at rathlev.dk
Tue May 8 18:01:13 EDT 2012


Hi Judith,

On Tue, 2012-05-08 at 19:16 +0000, Judith Sanders wrote:
> I have a Cisco ASA5520-I have an established VPN with a third party
> vendor. We are running applications over this tunnel and experiencing
> timeouts. The tunnel never drops, just the application. I know that
> there are default timeouts set on the ASA for certain protocols, but
> if the tunnel is established, would it not be an application issue and
> not a firewall/VPN timeout issue?

The ASA defaults for TCP timeouts (1 hour IIRC) are not compliant with
RFC 5782 "NAT Behavioral Requirements for TCP", a BCP. It specifies that
the timeout "MUST NOT be less than 2 hours 4 minutes". Use "timeout conn
2:04:00" on the ASA to adjust. You might also want to consider adjusting
the "timeout xlate" upwards at the same time.

Informational level debugging can tell you if and why the ASA have torn
down a session; the "ASA-6-302014" messsage ("Teardown TCP ...") states
the specific reason. Look for "Conn-timeout", meaning that the TCP
connection has been idle for too long and is therefore closed.

Even with a 2:04:00 timeout you still need to convince the application
developers to actually use TCP Keep-Alives. We have been forced to apply
a 24 hour timeout for certain connections because the developers
couldn't/wouldn't use Keep-Alives. A policy-map can select just the
right connections, so you avoid a long timeout for every connection
through the ASA.

-- 
Peter




More information about the cisco-nsp mailing list