03-11-2008 11:52 AM - edited 03-11-2019 05:15 AM
I believe there is a default 30 min TCP idle session timeout attached with every TCP service. There are features in other firewalls to increase this timeout or set it to None. Can we do the same in PIX/FWSM also.
Could you help me with commands to verify and increase the same.
Thanks
Prashant
03-11-2008 12:06 PM
i think you are looking for the timeout command:
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/t_72.html#wp1386607
sh run | inclu timeout
or
sh run timeout
03-11-2008 01:35 PM
Thanks for the good doc but this did not exactly solve my problem.
I am looking to increase service time-out.
So, lets say if I configure a new service, it should have a timeout of 300 min (5 hrs), instead of default timeout of 30 min.
Not sure which command can help me do this.
Thanks
Prashant
03-11-2008 02:12 PM
Prashant,
The default TCP idle timeout is 1 hour. If you want to change it to 5 hrs use the command.
pixfirewall(config)# timeout conn 5:00:00
Here are your options as far as the timeout for different services are concerned;
pixfirewall(config)# timeout ?
configure mode commands/options:
conn Configure idle time after which a TCP connection state will
be closed, default is 1:00:00
h225 Configure idle time after which an H.225 signaling conn will
be closed, default is 1:00:00
h323 Configure idle time after which an H.323 control connection
will be closed, default is 0:05:00
half-closed Configure idle time after which a TCP half-closed connection
will be freed, default is 0:10:00
icmp Configure idle timeout for ICMP, default is 0:00:02
HTH
Sundar
03-11-2008 02:37 PM
Thanks Sundar,
But I think if I use the command " timeout conn 5:00:00 ", it will change the timeout to 5 hours for all TCP connections. I want the time out to be changes to a specific TCP service for example for TCP port 3000 and for the rest, it can remain the same.
Is there a way to set timeout for particular service?
Thanks
Prashant
03-11-2008 02:26 PM
"There are features in other firewalls to increase this timeout or set it to None."
You must be refer to either Checkpoint or
Juniper firewalls. For example, you can
create a telnet, tcp port 23, service and
set the timeout session to let say 6 hours,
or you can create an ssh service and set the
timeout to 10 minutes.
I've been trying to find this feature in
Cisco Pix/ASA/FWSM as well but don't think
it is possible.
CCIE Security
03-11-2008 02:35 PM
I see what you are asking. AFAIK I don't think in Cisco firewall you can configure timeout for services inside of TCP. It would be just a global timeout value for TCP.
03-11-2008 02:39 PM
Yes, this is what I am looking for, to change the timeout for particular service like ssh. I have seen it in Juniper Firewalls where we can easily modify the timeout or set it to none.
Thanks
Prashant
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: