TCP timeout config

Unanswered Question
Apr 26th, 2007
User Badges:


I have to audit a PIX 515 to meet the below requirements. Can anyone please let me know what the config would look like or point me to the relevant docos to make the PIX compliant.



TCP Start Time Out must be set to 60 seconds.

TCP Session Time Out must be set to 3600 seconds.

TCP End Time Out must be set to 20 seconds.

UDP Time Out must be set to 40 seconds.

ICMP Time Out must be set to 30 seconds.

?Out of state? TCP, UDP and ICMP packets must be dropped and the associated error must be logged.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
sachinraja Thu, 04/26/2007 - 19:38
User Badges:
  • Red, 2250 points or more

Hello scott,

I think you need to configure the following command to change these timeout values:

timeout {xlate | conn | udp | icmp | rpc | h225 | h323 | mgcp | mgcp-pat | sip | sip_media} hh:mm:ss

timeout uauth hh:mm:ss [absolute | inactivity]

The configuration guide describes you everything with respect to this command:

the default values are also given... hence for ex, if u want to change the tcp session timeout value to 3600 secs, u need to use,

timeout xlate 1:0:0

similarly you can tweak the values of UDP, ICMP timers,

Hope this helps.. all the best.. rate replies if found useful..


scottyd Thu, 04/26/2007 - 19:52
User Badges:

Hi Raj,

Thanks for that. I supected those commmands but I can not match up:

TCP Start Time

TCP End Time

And how do I set it to drop Out of state packets?



This what we have at present.

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

sachinraja Thu, 04/26/2007 - 20:03
User Badges:
  • Red, 2250 points or more


i'm really not sure if there are specific commands to block out of state tcp.. i thought pix does this by default.. if there are no syn messages for the tcp request, the pix will not process the request.. anyway, the pix might log it in the buffer, if you have configured... check for "logging" commands on CCO and you can find a lot of info on this. u can also direct it to a syslog server if required....

regarding tcp start/end time, no ideas mate :)



This Discussion