Custom UDP service timeout

Unanswered Question
Jun 24th, 2009


I don't want to change the global UDP idle timeout for the entire firewall for obvious security reasons but I have to change timeout for a particular UDP port from a known source IP to another known destination IP. I tried using:

object-group service blah

timeout udp 0:20:00

or timeout udp 0:20:00 conn 1:00:00

but the timeout command does not stay in the config. I even tried MPF but MPF doesn't have UDP option or I can't find it.

Is there another way?

Thanks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Patrick0711 Wed, 06/24/2009 - 20:30

I did something similar for TCP connections the other day...

This should work...substitute the TCP for UDP and add the necessary UDP port in the ACL:

access-list custom_timeout extended permit tcp host any

class-map custom_timeout

description Connection Timeout for specific hosts - 3 hours

match access-list custom_timeout

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

class custom_timeout

set connection timeout tcp 03:0:00 reset

ned.tavakol Thu, 06/25/2009 - 01:39


Thanks for your respond.

I've already tried this but unfortunately there isn't a udp option with this method.

please see below

hostname(config-pmap-c)# set connection timeout ?

mpf-policy-map-class mode commands/options:

dcd Configure dead-connection-detection retry interval.

embryonic Configure absolute time after which an embryonic TCP connection

will be closed, default is 0:00:30.

half-closed Configure idle time after which a TCP half-closed connection

will be freed, default is 0:10:00

tcp Configure idle time after which a TCP connection state will be

closed, default is 1:00:00

ned.tavakol Sun, 02/19/2012 - 16:36


The custom UDP service was taken out of ASA 8.x code and by request it was added back in higher releases of 8.2


This Discussion