Default TCP timeout on ACE

Answered Question
Mar 12th, 2009
User Badges:

Hi,


What is the default TCP timeout on ACE and how can I check it. I have the sticky timeout set to 720 minutes. Does it apply to TCP timeout as well.

Correct Answer by Syed Iftekhar Ahmed about 8 years 2 months ago

If you have not configured parameter-map and applied to policy then ACE will definitely be using default values.


One way of testing it could be to open a new tcp connection and use "show conn detail" commmand with the ip of dest.


show conn detail | beg 10.10.10.10


and look for [idle time : xx:xx:xx].

idle time gives you the inactivity time for this connection.


HTH

Syed Iftekhar Ahmed


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (4 ratings)
Loading.
Syed Iftekhar Ahmed Thu, 03/12/2009 - 16:23
User Badges:
  • Blue, 1500 points or more

The default inactivity timeout are as

follows: TCP:3600sec UDP:120secs ICMP:2sec


These are inactivity timeouts, meaning if the connections are idle for these many seconsds then the connection will be dropped.


If you need a different TCP timeout value, you can change it using the follwoing example


To change TCP idle timeout to 5 minutes


parameter-map type connection TCP-PARAM

set timeout inactivity 300


class-map match-all TCP-CLASS

match port tcp any


policy-map multi-match VIP

class TCP-CLASS

connection advanced TCP-PARAM


HTH

Syed Iftekhar Ahmed


cisco_lite Fri, 03/13/2009 - 02:24
User Badges:


Is there any entry to check the default TCP timeout value i.e. 3600 secs.

Correct Answer
Syed Iftekhar Ahmed Fri, 03/13/2009 - 11:51
User Badges:
  • Blue, 1500 points or more

If you have not configured parameter-map and applied to policy then ACE will definitely be using default values.


One way of testing it could be to open a new tcp connection and use "show conn detail" commmand with the ip of dest.


show conn detail | beg 10.10.10.10


and look for [idle time : xx:xx:xx].

idle time gives you the inactivity time for this connection.


HTH

Syed Iftekhar Ahmed


andreabat72 Sat, 10/01/2011 - 08:41
User Badges:

Hi,

good information, but i have a doubt.

I have an existing policy L3/L4 multi-match like the one below.

I  would like to increase the inactivity timeout on every TCP connections.  Can i nest the new class map (match all) to my policy-map, as shown  below in bold?

This can create problems for the existing policy?

Can you confirm me that i can apply only one L3L4 policy map to the interface Vlan?

In necessary to remove and apply the policy to see the effect of the new timeout?

Thanks in advance

Best Regards



policy-map multi-match L4_VIP3_POLICY

  description Multi-Match VIPs on Vlan 18 to ServerFarms

  class L4-FARM-RDP

    loadbalance vip inservice

    loadbalance policy L7-FARM-RDP

    loadbalance vip icmp-reply active

  class L4-FARM-RDP-TOKYO

    loadbalance vip inservice

    loadbalance policy L7-FARM-RDP-TOKYO

    loadbalance vip icmp-reply active

  class L4-FARM-RDP-NY

    loadbalance vip inservice

    loadbalance policy L7-FARM-RDP-NY

    loadbalance vip icmp-reply active

  class L4-FARM-RDP-KUALA

    loadbalance vip inservice

    loadbalance policy L7-FARM-RDP-KUALA

    loadbalance vip icmp-reply active

  class L4-FARM-RDP-NY

    loadbalance vip inservice

    loadbalance policy L7-FARM-RDP-NY

    loadbalance vip icmp-reply active


  class TCP-CLASS

     connection advanced TCP-PARAM


where:


parameter-map type connection TCP-PARAM

set timeout inactivity 36000


class-map match-all TCP-CLASS

  match port tcp any

kkataja Mon, 03/19/2012 - 00:21
User Badges:

Just add the "class TCP-CLASS" to the top of policy-map L4_VIP3_POLICY:


conf t

policy-map multi-match L4_VIP3_POLICY

class TCP-CLASS insert-before  L4-FARM-RDP

connection advanced TCP-PARAM

exit

exit

exit


By adding it to the top you can override the params in the VIP classes below if needed.

Marvin Rhoads Thu, 09/27/2012 - 09:09
User Badges:
  • Super Silver, 17500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Good information.


I am wondering if this parameter is applicable (and if so can it be applied) to sessions that are not to the VIP but rather to the real servers where the ACE is acting as their default gateway?


Responses happily rated.

Marvin Rhoads Sun, 09/30/2012 - 11:27
User Badges:
  • Super Silver, 17500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Cesar thanks for the tip on "switch-mode". +4.


One follow-up . The documentation at the link seems to have an error. It states:


timeout seconds

Length of time in seconds that the ACE waits before removing the switch mode connection. Enter an integer from 0 to 1440 (24 hours). The default is 0.


Is the parameter seconds or minutes?


My ACE (ACE-20 running vA2(3.6a)) offers the range as:


ACE-1-MODULE-PRI/Admin(config)# switch-mode timeout ?

  <1-65535>  Inactivity Timeout value

ACE-1-MODULE-PRI/Admin(config)#

Cesar Roque Sun, 09/30/2012 - 11:34
User Badges:
  • Bronze, 100 points or more

Hi Marvin,


Is in seconds



---------------------
Cesar R
ANS Team

Actions

This Discussion