cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
637
Views
4
Helpful
7
Replies

ACE loosing state info

cajalat
Level 1
Level 1

I'm running into a problem that I suspect is caused by the ACE timing out flow state information. We have several connections that are initiated from rserver's that remain mostly idle. Is it possible to disable this feature where connections established from behind the ACE are not maintained?

1 Accepted Solution

Accepted Solutions

If you associate the tcp-parameter map with an access-list you can be more specific/granular with the connections.

My config looks like this:

access-list TCP line 10 extended permit tcp any any

parameter-map type connection TCP_Parameter_Map

set timeout inactivity 604800

class-map match-any TCP_TRAFFIC_CLASS

description Match All TCP Traffic

3 match access-list TCP

policy-map multi-match TCP-POLICY

description Global TCP Parameter Policy

class TCP_TRAFFIC_CLASS

connection advanced-options TCP_Parameter_Map

service-policy input TCP-Policy

---

So if you adjust the access-list to a dedicated host and or port it should be okay.

Roble

View solution in original post

7 Replies 7

Roble Mumin
Level 3
Level 3

There is a default timer of 60 minutes for tcp connections. So if your flow happens to be longer idle than that it will get dropped. I had this situation with some frontend to backend flows.

You can create a tcp parameter map and adjust the tcp idle timeout value to something more suitable. I had to apply it globally in the context to make it work. The parameter map then will fit to all new established flows hence you have to drop old flows to make sure the parameter gets applied.

Have a look at the config guide.

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_guide_chapter09186a0080686bc5.html#wp1074289

Roble

Roble,

Thanks for the response. I think this resolved my issue. I configured this yesterday (after a TAC call) and so far I seem to have connections upwards of 16 hours that still show in "show conn detail".

What still troubles me is that I can't change the idle timeout on a per protocol basis. It seems to be an all or nothing deal. For instance, DNS lookups that my rserver performed are still showing up in the connection table. I don't see why that should be the case for DNS since these are short lived transactions. Is this anyway I can control the idle timeout on a more granular level? i.e. TCP vs UDP or even on a per port basis?

Casey

If you associate the tcp-parameter map with an access-list you can be more specific/granular with the connections.

My config looks like this:

access-list TCP line 10 extended permit tcp any any

parameter-map type connection TCP_Parameter_Map

set timeout inactivity 604800

class-map match-any TCP_TRAFFIC_CLASS

description Match All TCP Traffic

3 match access-list TCP

policy-map multi-match TCP-POLICY

description Global TCP Parameter Policy

class TCP_TRAFFIC_CLASS

connection advanced-options TCP_Parameter_Map

service-policy input TCP-Policy

---

So if you adjust the access-list to a dedicated host and or port it should be okay.

Roble

An access-list...I think this answers all of my questions. I can pick/choose any combination of IP/proto/port. What threw me off was the limited availability of options for the match statement under the class-map. I saw source-address, destination address, and port where port had only tcp as an option.

Thank you very much.

Casey

I have a question realting to this.

When the ACE times out an inactive TCP session, does it send a TCP reset or fin or does it just silently drop it and not communicate with either host about it

Many Thanks, Dom

The RST is sent to both the sides(client and the server) of the connections and the connection entries are removed from the connection

table.

Syed Iftekhar Ahmed

Great - Thanks for your help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: