Core issue
Resolution
The timeout command on the PIX Firewall sets the idle time for connection, translation, User Datagram Protocol (UDP), Remote-Procedure Call (RPC), and H.323 slots. If the slot has not been used for the idle time specified, the resource is returned to the free pool.
Issuing the clear xlate command clears the contents of the translation slots. (xlate means translation slot.) The show xlate command displays the contents of only the translation slots.
Clear xlate commands remove all entries of the translation slots. If you would like to remove a specific xlate entry, issue the clear xlate local x.x.x.x or clear xlate global x.x.x.x commands, as shown in this example:
clear xlate [global|local ip1[-ip2] [netmask mask]] lport|gport port[-port]] [interface if1[,if2][,ifn]] [state static [,dump] [,portmap] [,norandomseq] [,identity]]
Translation slots can persist after key changes have been made. Always issue the clear xlate command after adding, changing, or removing the aaa-server, access-list, alias, conduit, global, nat, route, or static commands in your configuration.
This sample output shows the default timeout values on the PIX:
timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute
The timeout uauth command can be used to reauthenticate the user after a period of inactiviy or an absolute duration.
Example:
pixfirewall(config)# timeout uauth 0:5:00 absolute uauth 0:4:00 inactivity pixfirewall(config)# show timeout timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute uauth 0:04:00 inactivity
The example shows that a user would be required to reauthenticate after 4 minutes of a connection being idle and that the user would regularly authenticate every 5 minutes based on the absolute value of the timer.
If you set the inactivity timer to a duration, but the absolute timer to zero, then users are only reauthenticated after the inactivity timer elapses.
Both an inactivity timer and an absolute timer can operate at the same time, but you should set the absolute timer duration longer than the inactivity timer. If the absolute timer is less than the inactivity timer, the inactivity timer never occurs. For example, if you set the absolute timer to 10 minutes and the inactivity timer to an hour, the absolute timer reprompts the user every 10 minutes; therefore, the inactivity timer will never be started.