ACE Module TCP Inactivity timeout

stevek1 · ‎11-10-2008

Hi Folks,

Can anyone assist with a fix for the following issue on traffic through the ACE module?

TCP sessions are being reset after 60 minutes of inactivity (default behaviour I understand). I need to extend this to 7500 seconds.

Our ACE sits between the internal corporate network and the corporate (CheckPoint) Firewall. The FW administrators are seeing TCP resets coming from the internal network (ie...the ACE) after exactly 60 minutes of inactivity. 2 applications need these connections to remain open for at least 2 hrs.

I thought perhaps I should apply a parameter-map to the server side interface as well as the client side (where it is already applied). I currently have a server side policy-map of type "management". I expect this wouldn't have effect on application traffic in this case so what if I configure a new policy-map of type "multi-match" on server-side? For example if I configured the following:

existing parameter-map is....

parameter-map type connection External_Connections

set timeout inactivity 7500

create....

policy-map multi-match ServerSide_FW_DR_L4_LB_VIP_POLICY

class class-default

connection advanced-options External_Connections

apply....

interface vlan 3390

service-policy input ServerSide_FW_DR_L4_LB_VIP_POLICY

1 - Would this do the job?

2 - Would it only affect the TCP inactivity timeout and otherwise leave everything else alone (not break anything)?

Attached are show techs for the switch and the module.

Grateful for any assistance with this.

Kind Regards,

SteveK

Syed Iftekhar Ahmed · ‎11-10-2008

Default inactivity timeouts used by ACE are

icmp 2sec

tcp 3600sec

udp 120sec

With your config you will change inactivity for every protocol to 7500sec.If you want to change TCP timeout to 7500sec and keep the

other inactivity timeouts as they are now use following

parameter-map type connection GLOBAL-TCP

set timeout inactivity 600

parameter-map type connection GLOBAL-UDP

set timeout inactivity 120

parameter-map type connection GLOBAL-ICMP

set timeout inactivity 2

class-map match-all ALL-TCP

match port tcp any

class-map match-all ALL-UDP

match port tcp any

class-map match-all ALL-ICMP

match port tcp any

policy-map multi-match TIMEOUTS

class ALL-TCP

connection advanced GLOBAL-TCP

class ALL-UDP

connection advanced GLOBAL-UDP

class ALL-TCP

connection advanced GLOBAL-ICMP

and apply service-policy TIMEOUTS globally

Syed Iftekhar Ahmed

stevek1 · ‎11-10-2008

Thanks for your response Syed,

Just to clarify...

1 - for GLOBAL-TCP you typed 600. Should that read 7500?

2 - When you say "apply service-policy TIMEOUTS globally", are you suggesting I apply these as input service-policies to each vlan interface? I already have multi-match policies applied to the client side interface so can I apply another one? Or is there a way to configure globally?

Cheers, SteveK.

Gilles Dufour · ‎11-11-2008

The service-policy can be applied globally in the config instead of having to configure it in every interface.

That's what was suggested to you.

Gilles.

stevek1 · ‎11-11-2008

Many thanks Syed and Gilles,

I see how to do that now, I'm new to ACE modules and wasn't used to the concept of global application of a service policy.

Your valuable contributions are much appreciated. Keep up the good work.

SteveK.

tiagogarcia · ‎12-07-2012

Hi, Is this config apply to all traffic ? I want to say balanced and non-balanced or just for that traffic that hit one VIP ?

Thanks in advantage

Tiago

Kanwaljeet Singh · ‎12-07-2012

Hi,

According to above example it will apply to everything.

Regards,

Kanwal