Solved: Can connection timeouts be defined on a per port basis on FWSM's like ISG's

swharvey · ‎05-02-2008

The FWSM's and ASA's have default connection timeout values, but I need to know if conn timeout values can be defined for individual ports like tcp/udp 111 and others?

I see the following default global connection timeout values as such:

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

Thanks,

-Scott

todd.gann · ‎07-01-2008

Connection timeouts can be defined on a per port basis. Create an access-list to match the traffic. then create a class-map to match the access-list. Apply the class with a service policy.

Ex.

access-list ABC-Traffic extended permit tcp host 10.25.35.10 10.25.45.0 255.255.255.0 eq 23

class-map ABC-Traffic-Class

match access-list ABC-Traffic

policy-map global_policy

class ABC-Traffic-Class

set connection timeout tcp 12:00:00

View solution in original post

Jon Marshall · ‎05-02-2008

Scott

For the FWSM it depends on what version of software you are running. For version v2.x then the timeouts are global just as they are for pix v6.x.

However with ASA which run v7.x at a minimum and with an FWSM running v3.x of the code yes you can define connection timeouts for individual ports/IP addresses.

Here is a link for the FWSM that covers how you would do it

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/mpf_f.html

Jon

swharvey · ‎05-02-2008

Hi Jon,

We are running FWSM 3.25, and ASA 7.24, so we should have the ability. I don't see where in the url you sent me the commands to change individual port conn timeout values. Is it a policy-map configuration?

Thanks

Jon Marshall · ‎05-02-2008

Yes, you would create a policy map with a class map that matched the traffic you were interested in and then set the connection timeout within that.

Pretty much like class maps/policy maps/service policies used in the MQC for QOS.

Jon

todd.gann · ‎07-01-2008