05-23-2007 07:19 AM
I'm running into a problem that I suspect is caused by the ACE timing out flow state information. We have several connections that are initiated from rserver's that remain mostly idle. Is it possible to disable this feature where connections established from behind the ACE are not maintained?
Solved! Go to Solution.
05-24-2007 03:53 AM
If you associate the tcp-parameter map with an access-list you can be more specific/granular with the connections.
My config looks like this:
access-list TCP line 10 extended permit tcp any any
parameter-map type connection TCP_Parameter_Map
set timeout inactivity 604800
class-map match-any TCP_TRAFFIC_CLASS
description Match All TCP Traffic
3 match access-list TCP
policy-map multi-match TCP-POLICY
description Global TCP Parameter Policy
class TCP_TRAFFIC_CLASS
connection advanced-options TCP_Parameter_Map
service-policy input TCP-Policy
---
So if you adjust the access-list to a dedicated host and or port it should be okay.
Roble
05-24-2007 03:19 AM
There is a default timer of 60 minutes for tcp connections. So if your flow happens to be longer idle than that it will get dropped. I had this situation with some frontend to backend flows.
You can create a tcp parameter map and adjust the tcp idle timeout value to something more suitable. I had to apply it globally in the context to make it work. The parameter map then will fit to all new established flows hence you have to drop old flows to make sure the parameter gets applied.
Have a look at the config guide.
Roble
05-24-2007 03:42 AM
Roble,
Thanks for the response. I think this resolved my issue. I configured this yesterday (after a TAC call) and so far I seem to have connections upwards of 16 hours that still show in "show conn detail".
What still troubles me is that I can't change the idle timeout on a per protocol basis. It seems to be an all or nothing deal. For instance, DNS lookups that my rserver performed are still showing up in the connection table. I don't see why that should be the case for DNS since these are short lived transactions. Is this anyway I can control the idle timeout on a more granular level? i.e. TCP vs UDP or even on a per port basis?
Casey
05-24-2007 03:53 AM
If you associate the tcp-parameter map with an access-list you can be more specific/granular with the connections.
My config looks like this:
access-list TCP line 10 extended permit tcp any any
parameter-map type connection TCP_Parameter_Map
set timeout inactivity 604800
class-map match-any TCP_TRAFFIC_CLASS
description Match All TCP Traffic
3 match access-list TCP
policy-map multi-match TCP-POLICY
description Global TCP Parameter Policy
class TCP_TRAFFIC_CLASS
connection advanced-options TCP_Parameter_Map
service-policy input TCP-Policy
---
So if you adjust the access-list to a dedicated host and or port it should be okay.
Roble
05-24-2007 04:11 AM
An access-list...I think this answers all of my questions. I can pick/choose any combination of IP/proto/port. What threw me off was the limited availability of options for the match statement under the class-map. I saw source-address, destination address, and port where port had only tcp as an option.
Thank you very much.
Casey
08-06-2008 06:33 AM
I have a question realting to this.
When the ACE times out an inactive TCP session, does it send a TCP reset or fin or does it just silently drop it and not communicate with either host about it
Many Thanks, Dom
08-06-2008 09:22 AM
The RST is sent to both the sides(client and the server) of the connections and the connection entries are removed from the connection
table.
Syed Iftekhar Ahmed
08-06-2008 12:57 PM
Great - Thanks for your help
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: