Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
5619
Views
0
Helpful
0
Comments

How to drop idle connections and free up PIX Firewall resources

TCC_2
Level 10
Level 10

‎06-22-2009 04:38 PM - edited ‎03-08-2019 06:17 PM

Core issue

Resolution

The timeout command on the PIX Firewall sets the idle time for connection, translation, User Datagram Protocol (UDP), Remote-Procedure Call (RPC), and H.323 slots. If the slot has not been used for the idle time specified, the resource is returned to the free pool.

Issuing the clear    xlate command clears the contents of the translation slots. (xlate means    translation slot.) The show    xlate command displays the contents of only the translation slots.

Clear xlate commands remove all entries of the translation slots. If you would like to remove a specific xlate entry, issue the clear xlate local x.x.x.x or clear xlate global x.x.x.x commands, as shown in this example:

clear xlate [global|local ip1[-ip2] [netmask mask]] lport|gport port[-port]] [interface if1[,if2][,ifn]] [state static [,dump] [,portmap] [,norandomseq] [,identity]]

Translation slots can persist after key changes have been made. Always issue    the clear xlate command after adding, changing, or removing the aaa-server,    access-list, alias, conduit, global, nat, route, or static commands in your configuration.

This sample output shows the default timeout values on the PIX:

timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute

The timeout uauth command can be used to reauthenticate  the user after a period of inactiviy or an absolute duration.

Example:

pixfirewall(config)# timeout uauth 0:5:00 absolute uauth 0:4:00 inactivity pixfirewall(config)# show timeout  timeout xlate 3:00:00  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00    sip 0:30:00 sip_media 0:02:00  timeout uauth 0:05:00 absolute uauth 0:04:00 inactivity

The example shows that a user would be required to reauthenticate after 4 minutes of a connection being idle and that the user would regularly authenticate every 5 minutes based on the absolute value of the timer.

If you set the inactivity timer to a duration, but the absolute timer to zero, then users are only reauthenticated after the inactivity timer elapses.

Both an inactivity timer and an absolute timer can operate at the same time, but you should set the absolute timer duration longer than the inactivity timer. If the absolute timer is less than the inactivity timer, the inactivity timer never occurs. For example, if you set the absolute timer to 10 minutes and the inactivity timer to an hour, the absolute timer reprompts the user every 10 minutes; therefore, the inactivity timer will never be started.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents