[c-nsp] Timeout value on ASA

David White, Jr. (dwhitejr) dwhitejr at cisco.com
Wed May 9 14:27:44 EDT 2012 

Hi Judith,

A timeout of all zero's means 'do not timeout' - or infinite timeout.

Sincerely,

David.

Judith Sanders wrote:
>
> Here is an output from my ASA- this is part of my tunnel that the
> applications timeout thru...
>
> I see that they have been idle for four plus hours and the timeout is
> all 0-does this mean no timeout? or does this just mean default to the
> 3 hour timeout?
>
>  
>
> NAT from inside:172.16.1.201 to outside:64.250.19x.xx
>
>     flags s idle 4:23:07 timeout 0:00:00
>
> NAT from inside:172.16.1.202 to outside:64.250.19x.xxx
>
>     flags s idle 4:05:15 timeout 0:00:00
>
> NAT from any:172.16.3.131 to any:64.250.19x.xxx
>
>     flags s idle 0:25:16 timeout 0:00:00
>
> NAT from inside:172.17.22.121 to outside:64.250.19x.xxx
>
>     flags s idle 4:12:58 timeout 0:00:00
>
> NAT from inside:172.17.23.121 to outside:64.250.19x.xx
>
>     flags s idle 4:21:48 timeout 0:00:00
>
>  
>
> Judith Sanders
>
> Pioneer Telephone
>
> Inside Plant Networking Services
>
> jasanders at ptci.com <mailto:jasanders at ptci.com> 405.375.0645
>
> */"Our lives change when our habits change."/*
>
> */     Matthew Kelly/*
>
> */ /*
>
>  
>
>  
>
> *From:* David White, Jr. (dwhitejr) [mailto:dwhitejr at cisco.com]
> *Sent:* Wednesday, May 09, 2012 12:51 PM
> *To:* Antonio Soares
> *Cc:* 'Peter Rathlev'; Judith Sanders; cisco-nsp at puck.nether.net
> *Subject:* Re: [c-nsp] Timeout value on ASA
>
>  
>
> Hi Antonio,
>
> The first output is showing "PATed" connections - or ones which have
> been Port Address Translated.  In this case, the xlate timeout is
> hard-coded to 30 seconds, and is not user configurable.
>
> If instead you look at "NATed" connections, you will see the timeout
> would be set to the user-configured value - 3 hours in your case.
>
> Hope that helps explain it.
>
> Sincerely,
>
> David.
>
> Antonio Soares wrote:
>
> Hi David,
>  
> Can you elaborate a little more about the xlate timeout, it's something I
> never understood very well. For example, taking this output as an example:
>  
> ASA# sh xlate       
> 2 in use, 229 most used
> Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T -
> twice
> UDP PAT from IN:xxx.xxx.xxx.xxx/54337 to OUT:xxx.xxx.xxx.xxx/6630 flags ri
> idle 0:00:01 timeout 0:00:30
> TCP PAT from IN:xxx.xxx.xxx.xxx/1028 to OUT:xxx.xxx.xxx.xxx/5281 flags ri
> idle 0:00:13 timeout 0:00:30
>  
> Why do we see 30 seconds as the timeout ? By default it's 3 hours:
>  
> ASA# sh runn timeout
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
> timeout tcp-proxy-reassembly 0:01:00
> timeout floating-conn 0:00:00
> ASA# 
>  
> timeout xlate:
>  
> Configure idle time after which a dynamic address will be returned to the
> free pool, default is 3:00:00
>  
> The output above was taken from an ASA. For example, this FWSM reflects the
> timeout correctly as configured globally (25 minutes):
>  
> FWSM# sh xlate debug
> Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,
>        o - outside, r - portmap, s - static
> 45 in use, 281 most used
> NAT from IN:172.23.254.149 to OUT:xxx.xxx.xxx.xxx flags i idle 0:06:35
> timeout 0:25:00 connections 1
> NAT from IN:172.23.254.155 to OUT:xxx.xxx.xxx.xxx flags i idle 0:00:54
> timeout 0:25:00 connections 0
> NAT from IN:172.23.254.167 to OUT:xxx.xxx.xxx.xxx flags i idle 0:00:14
> timeout 0:25:00 connections 6
>  
> This debug option is not available on the ASA.
>  
>  
> Thanks.
>  
> Regards,
>  
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt <mailto:amsoares at netcabo.pt>
> http://www.ccie18473.net
>  
>  
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net <mailto:cisco-nsp-bounces at puck.nether.net>
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David White, Jr.
> (dwhitejr)
> Sent: terça-feira, 8 de Maio de 2012 23:20
> To: Peter Rathlev; Judith Sanders
> Cc: 'cisco-nsp at puck.nether.net <mailto:cisco-nsp at puck.nether.net>'
> Subject: Re: [c-nsp] Timeout value on ASA
>  
> An alternative is to use Dead Connection Detection (DCD) on the ASA to
> validate if both endpoints on the idle connection are still alive, and if so
> reset the idle timeout, else tear it down.
>  
> http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns
> _connlimits.html#wp1080752
>  
> Additionally, one point for Peter.  Increasing the idle conn timeout does
> not require you to increase the xlate timeout.  The xlate timeout only takes
> effect once all conns associated to that xlate no longer exist.
>  
> Sincerely,
>  
> David.
>  
> Peter Rathlev wrote:
>   
>
>     Hi Judith,
>
>      
>
>     On Tue, 2012-05-08 at 19:16 +0000, Judith Sanders wrote:
>
>       
>
>         
>
>         I have a Cisco ASA5520-I have an established VPN with a third party 
>
>         vendor. We are running applications over this tunnel and experiencing 
>
>         timeouts. The tunnel never drops, just the application. I know that 
>
>         there are default timeouts set on the ASA for certain protocols, but 
>
>         if the tunnel is established, would it not be an application issue 
>
>         and not a firewall/VPN timeout issue?
>
>             
>
>               
>
>     The ASA defaults for TCP timeouts (1 hour IIRC) are not compliant with 
>
>     RFC 5782 "NAT Behavioral Requirements for TCP", a BCP. It specifies 
>
>     that the timeout "MUST NOT be less than 2 hours 4 minutes". Use 
>
>     "timeout conn 2:04:00" on the ASA to adjust. You might also want to 
>
>     consider adjusting the "timeout xlate" upwards at the same time.
>
>      
>
>     Informational level debugging can tell you if and why the ASA have 
>
>     torn down a session; the "ASA-6-302014" messsage ("Teardown TCP ...") 
>
>     states the specific reason. Look for "Conn-timeout", meaning that the 
>
>     TCP connection has been idle for too long and is therefore closed.
>
>      
>
>     Even with a 2:04:00 timeout you still need to convince the application 
>
>     developers to actually use TCP Keep-Alives. We have been forced to 
>
>     apply a 24 hour timeout for certain connections because the developers 
>
>     couldn't/wouldn't use Keep-Alives. A policy-map can select just the 
>
>     right connections, so you avoid a long timeout for every connection 
>
>     through the ASA.
>
>      
>
>       
>
>         
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net <mailto:cisco-nsp at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>  
>  
>   
>
> ***************************
> This email message and any files transmitted with it are intended solely
> for the use of the individual or entity  for whom it is addressed.  It
> may contain confidential and privileged information. If you are not the
> intended recipient, please contact the sender and destroy all paper and
> electronic copies of this message and its contents.  Any unauthorized
> review, use, disclosure or distribution of this email or any file
> attachments is strictly prohibited.
>

More information about the cisco-nsp mailing list