timeout conn

Unanswered Question
Aug 21st, 2008

the default idle time for a connection on a Cisco ASA is 1 hour, as denoted by the timeout conn command. The ASA then closes the connection.

What i wish to know is how does the ASA close the idle connection? does it send a Reset to each end of the connection? or only one end? or does it send a reset at all.

Does any one know what the ASA actually does to close the idle connection?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Syed Iftekhar Ahmed Thu, 08/21/2008 - 01:33

ASA silently drop connections for which the idle timeout timer has expired.

This default behavior can be changed using Modular Policy Framework.

Check out the "set connection timeout" command in the command reference:


There is a "reset" argument that can be used to send a RST in both

directions when the idle timer expires.

Syed Iftekhar Ahmed

alibowluk Thu, 08/21/2008 - 01:41

ah i see so i can set it to send resets in both directions

your wrote the ASA silently drops the connection, what do you mean by that? do you mean the ASA doesn't do anything it just drops the connection from its own connection table?

Thanks for the help, just trying to get my head round what the ASA does as we have a connection which seems to be only reset one end after the idle time, when the connection is re-established the other end it seems to just disappear?



Syed Iftekhar Ahmed Thu, 08/21/2008 - 02:08

As per my knowledge no resets are send by ASA on either side (unless configured using MPF) when a connection times out.

So yes it simply delete the connection entry from its connection table.

Syed Iftekhar Ahmed


This Discussion