05-02-2008 06:12 AM - edited 03-11-2019 05:39 AM
The FWSM's and ASA's have default connection timeout values, but I need to know if conn timeout values can be defined for individual ports like tcp/udp 111 and others?
I see the following default global connection timeout values as such:
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
Thanks,
-Scott
Solved! Go to Solution.
07-01-2008 06:11 AM
Connection timeouts can be defined on a per port basis. Create an access-list to match the traffic. then create a class-map to match the access-list. Apply the class with a service policy.
Ex.
access-list ABC-Traffic extended permit tcp host 10.25.35.10 10.25.45.0 255.255.255.0 eq 23
class-map ABC-Traffic-Class
match access-list ABC-Traffic
policy-map global_policy
class ABC-Traffic-Class
set connection timeout tcp 12:00:00
05-02-2008 08:19 AM
Scott
For the FWSM it depends on what version of software you are running. For version v2.x then the timeouts are global just as they are for pix v6.x.
However with ASA which run v7.x at a minimum and with an FWSM running v3.x of the code yes you can define connection timeouts for individual ports/IP addresses.
Here is a link for the FWSM that covers how you would do it
http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/mpf_f.html
Jon
05-02-2008 08:31 AM
Hi Jon,
We are running FWSM 3.25, and ASA 7.24, so we should have the ability. I don't see where in the url you sent me the commands to change individual port conn timeout values. Is it a policy-map configuration?
Thanks
05-02-2008 08:36 AM
Yes, you would create a policy map with a class map that matched the traffic you were interested in and then set the connection timeout within that.
Pretty much like class maps/policy maps/service policies used in the MQC for QOS.
Jon
07-01-2008 06:11 AM
Connection timeouts can be defined on a per port basis. Create an access-list to match the traffic. then create a class-map to match the access-list. Apply the class with a service policy.
Ex.
access-list ABC-Traffic extended permit tcp host 10.25.35.10 10.25.45.0 255.255.255.0 eq 23
class-map ABC-Traffic-Class
match access-list ABC-Traffic
policy-map global_policy
class ABC-Traffic-Class
set connection timeout tcp 12:00:00
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide