ACE loosing state info

Answered Question
May 23rd, 2007
User Badges:

I'm running into a problem that I suspect is caused by the ACE timing out flow state information. We have several connections that are initiated from rserver's that remain mostly idle. Is it possible to disable this feature where connections established from behind the ACE are not maintained?

Correct Answer by Roble Mumin about 10 years 2 months ago

If you associate the tcp-parameter map with an access-list you can be more specific/granular with the connections.


My config looks like this:


access-list TCP line 10 extended permit tcp any any


parameter-map type connection TCP_Parameter_Map

set timeout inactivity 604800


class-map match-any TCP_TRAFFIC_CLASS

description Match All TCP Traffic

3 match access-list TCP


policy-map multi-match TCP-POLICY

description Global TCP Parameter Policy

class TCP_TRAFFIC_CLASS

connection advanced-options TCP_Parameter_Map


service-policy input TCP-Policy


---


So if you adjust the access-list to a dedicated host and or port it should be okay.


Roble

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Roble Mumin Thu, 05/24/2007 - 03:19
User Badges:
  • Bronze, 100 points or more

There is a default timer of 60 minutes for tcp connections. So if your flow happens to be longer idle than that it will get dropped. I had this situation with some frontend to backend flows.


You can create a tcp parameter map and adjust the tcp idle timeout value to something more suitable. I had to apply it globally in the context to make it work. The parameter map then will fit to all new established flows hence you have to drop old flows to make sure the parameter gets applied.


Have a look at the config guide.


http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_guide_chapter09186a0080686bc5.html#wp1074289


Roble

cajalat Thu, 05/24/2007 - 03:42
User Badges:

Roble,


Thanks for the response. I think this resolved my issue. I configured this yesterday (after a TAC call) and so far I seem to have connections upwards of 16 hours that still show in "show conn detail".


What still troubles me is that I can't change the idle timeout on a per protocol basis. It seems to be an all or nothing deal. For instance, DNS lookups that my rserver performed are still showing up in the connection table. I don't see why that should be the case for DNS since these are short lived transactions. Is this anyway I can control the idle timeout on a more granular level? i.e. TCP vs UDP or even on a per port basis?


Casey

Correct Answer
Roble Mumin Thu, 05/24/2007 - 03:53
User Badges:
  • Bronze, 100 points or more

If you associate the tcp-parameter map with an access-list you can be more specific/granular with the connections.


My config looks like this:


access-list TCP line 10 extended permit tcp any any


parameter-map type connection TCP_Parameter_Map

set timeout inactivity 604800


class-map match-any TCP_TRAFFIC_CLASS

description Match All TCP Traffic

3 match access-list TCP


policy-map multi-match TCP-POLICY

description Global TCP Parameter Policy

class TCP_TRAFFIC_CLASS

connection advanced-options TCP_Parameter_Map


service-policy input TCP-Policy


---


So if you adjust the access-list to a dedicated host and or port it should be okay.


Roble

cajalat Thu, 05/24/2007 - 04:11
User Badges:

An access-list...I think this answers all of my questions. I can pick/choose any combination of IP/proto/port. What threw me off was the limited availability of options for the match statement under the class-map. I saw source-address, destination address, and port where port had only tcp as an option.


Thank you very much.


Casey

d-fillmore Wed, 08/06/2008 - 06:33
User Badges:

I have a question realting to this.

When the ACE times out an inactive TCP session, does it send a TCP reset or fin or does it just silently drop it and not communicate with either host about it


Many Thanks, Dom

Syed Iftekhar Ahmed Wed, 08/06/2008 - 09:22
User Badges:
  • Blue, 1500 points or more

The RST is sent to both the sides(client and the server) of the connections and the connection entries are removed from the connection

table.


Syed Iftekhar Ahmed

Actions

This Discussion