asa5520 - timeout issue

Unanswered Question
Jun 3rd, 2010
User Badges:


I have problems with my asa5520 ver7.2(4) - routed, firewall. the problem is the server behind inside interface has timeout when it talks to server front of outside interface. the timeout problem include server's batch job report system time out, and user ssh experience. the user ssh idle timeout seems veris time by time, 50 min, 2:30, and 3:30. it confuses me.

However, could I get some advice on where possible area I should look into?

Any comments will be appreciated

Thanks in advance


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
m.kafka Fri, 06/04/2010 - 02:47
User Badges:
  • Bronze, 100 points or more

hi julxu,

tcp timeouts will occur for ASA connections when no packets are seen for a configured idle time. The connection will be deleted from the ASA's connection table and subsequents packets will be dropped.

How to olve the issue:

configure a traffic class, describing the sessions which experience the problem.

configure a policy action to extend the timeouts:

hostname(config)# class-map CONNS
hostname(config-cmap)# match [match-criterea]

hostname(config)# policy-map [policy-name]
hostname(config-pmap)# class CONNS
hostname(config-pmap-c)# set connection timeout tcp 2:0:0 embryonic 0:40:0 half-closed 0:20:0 dcd

hostname(config-pmap-c)# [other-policy-actions]

dcd is a nice option, that sends tcp-probes (0-segments) to test whether the connection is still valid before timing out.

always remember that the first class that matches in a policy map decides the actions. So everything else like inspection etc should be added as additional policy actions.


This Discussion