ACE - timeout inactivity problem

Unanswered Question
May 12th, 2009
User Badges:
  • Silver, 250 points or more

Hi All,

I've got a strange problem with session counts and timeout on an ACE (2.1.3).

I created a connection parameter-map to an existing configuration, added it to the load-balance configuration and then removed and re-added the service policy. The context is in bridge mode.

parameter-map type connection FINJAN

set timeout inactivity 60

set tcp timeout half-closed 60

policy-map multi-match Finjan-04-LB-policy

class VIP-production_class

loadbalance vip inservice

loadbalance policy production-8080_LB_policy

loadbalance vip icmp-reply

connection advanced-options FINJAN

class VIP-beta_class

loadbalance vip inservice

loadbalance policy beta-8080_LB_policy

loadbalance vip icmp-reply

connection advanced-options FINJAN

interface vlan 396

description slb vlan

bridge-group 396

access-group input BPDU

access-group input PERMIT-ALL

service-policy input Finjan-04-LB-policy

no shutdown

But I'm still seeing sessions with idle times of minutes.

For example:

27344 1 in TCP 397 ESTAB

[ idle time : 00:16:47, byte count : 975 ]

[ elapsed time: 00:20:30, packet count: 14 ]

Is there anything else I need to do to make the timeout effective? I need to get this working before I can limit the number of connections to each real server.

Also the output of "sh serverfarm" shows many more current connections than a "sh conn de" command. Is this expected?


ace2/finjan# sh serverfarm beta-farm-8080

serverfarm : beta-farm-8080, type: HOST

total rservers : 7



real weight state current total failures


rserver: beta_blade-1 8 OPERATIONAL 44982 39669799 45323

rserver: beta_blade-2 8 OPERATIONAL 49594 42955799 60246

rserver: beta_blade-3 8 OPERATIONAL 51545 46098331 49868

rserver: beta_blade-4 8 OPERATIONAL 51659 46260307 57544

rserver: production_blade-2 8 OPERATIONAL 720 540878 41145

rserver: production_blade-3 8 OPERATIONAL 51270 45832507 45670

rserver: production_blade-4 8 OPERATIONAL 51870 45779920 47624

when the "sh conn de" reports about 14000 sessions.

Any help appreciated.

Thank you


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Tue, 05/12/2009 - 02:28
User Badges:
  • Cisco Employee,

Possibly a match to :

CSCso93479: current connection counter under show serverfarm is not accurate

The paramater-map change only affects new connections.

In your output, is the connection you highlighted older than the parameter-map ??

Do you have frequent config changes and is it possible that the connection showing the long idle timeout was created during a config change ?


ciscocsoc Tue, 05/12/2009 - 02:39
User Badges:
  • Silver, 250 points or more

Hi Gilles,

The parameter map was installed early this morning so all sessions should now be under its aegis. I haven't made changes in the last 45 minutes, but there are still idle sessions. E.g.

37 1 out TCP 396 ESTAB

[ conn in reuse pool : FALSE]

[ idle time : 00:31:21, byte count : 164 ]

[ elapsed time: 00:31:47, packet count: 4 ]

The context is in bridge mode. I've only applied the policy to the "inside" VLAN. Would it make a difference if the policy were applied globally?



Gilles Dufour Tue, 05/12/2009 - 05:01
User Badges:
  • Cisco Employee,


I now realised that what you are showing is the 'OUT' part of the connection.

A tcp connection has 2 flows.

If one of the flow is active, we keep both flows in the table.

So, if you see the OUT flow being idle longer than your idle timeout, check the associated IN flow.


ciscocsoc Tue, 05/12/2009 - 08:04
User Badges:
  • Silver, 250 points or more

I moved the service policy from the client vlan to the global config - in the hope of being able to apply the connection parameter-map. Just after I did that the whole ACE reloaded (failure in arp_mgr). Hopefully unrelated.

I do see unbalanced flows;

5078 1 in TCP 397 ESTAB

[ idle time : 00:16:56, byte count : 1644 ]

[ elapsed time: 00:19:17, packet count: 29 ]

35 1 out TCP 396 CLOSED

[ conn in reuse pool : FALSE]

[ idle time : 00:19:14, byte count : 28504 ]

[ elapsed time: 00:19:17, packet count: 21 ]

Is there anything I can do about this or is it dependent on the server-side doing something?

Thank you



This Discussion