suggested timeout config on pix for aaa cmds passing through

Unanswered Question
Jul 2nd, 2009

Our tacacs sits on the other side of a pix firewall. As a result we are causing alot of xlate transactions on the pix as we enter commands on our devices.

What are the suggested timeout values?

Our conn count is max 2700

timeout xlate 3:00:00 (default)

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Mon, 07/06/2009 - 05:50

Are you seeing xlates for your sessions? Are they going through the firewall or to the firewall? When you manage the firewall itself there are no xlates. The management of the firewalls are all TCP based so you should only see one xlate for management beyond the firewall (per person/per device). The default timeouts are fine unless there is a specific application that requires a longer one.

Hope that helps.


This Discussion