Custom UDP service timeout

ned.tavakol · ‎06-24-2009

Hi,

I don't want to change the global UDP idle timeout for the entire firewall for obvious security reasons but I have to change timeout for a particular UDP port from a known source IP to another known destination IP. I tried using:

object-group service blah

timeout udp 0:20:00

or timeout udp 0:20:00 conn 1:00:00

but the timeout command does not stay in the config. I even tried MPF but MPF doesn't have UDP option or I can't find it.

Is there another way?

Thanks in advance

Patrick0711 · ‎06-24-2009

I did something similar for TCP connections the other day...

This should work...substitute the TCP for UDP and add the necessary UDP port in the ACL:

access-list custom_timeout extended permit tcp host 1.1.1.1 any

class-map custom_timeout

description Connection Timeout for specific hosts - 3 hours

match access-list custom_timeout

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

class custom_timeout

set connection timeout tcp 03:0:00 reset

ned.tavakol · ‎06-25-2009

Hi,

Thanks for your respond.

I've already tried this but unfortunately there isn't a udp option with this method.

please see below

hostname(config-pmap-c)# set connection timeout ?

mpf-policy-map-class mode commands/options:

dcd Configure dead-connection-detection retry interval.

embryonic Configure absolute time after which an embryonic TCP connection

will be closed, default is 0:00:30.

half-closed Configure idle time after which a TCP half-closed connection

will be freed, default is 0:10:00

tcp Configure idle time after which a TCP connection state will be

closed, default is 1:00:00

ned.tavakol · ‎02-19-2012

Hi,

The custom UDP service was taken out of ASA 8.x code and by request it was added back in higher releases of 8.2