Hi halijenn/ experts
i have a query related to ASA timeouts specifically the comparison of the "timeout conn" and the MPF config which is specifically related to modifying the idle timeout value for certain set of traffic (class-maps).I have already gone through all the documents and here are my queries
1) If the customer wants that he requires that a certain set of traffic never expires and remain alive althrough then is it possible as per below
access-list oracle-traffic permit tcp host 172.18.1.1 host 192.168.46.21
access-list oracle-traffic permit tcp host 192.168.46.21 host 172.18.1.1
match access-list oracle-traffic
set connection timeout tcp 0:0:0 reset
What is exactly global "timeout conn " .I believe that it is idle timeout for the TCP Connection . Please correct me if i am wrong .Is the " timeout conn"
mentioned globally and "set connection timeout tcp (or idle in the new ASA s/w version) " have the same meaning ? I have heard some of my peers
saying that 'timeout conn" is session timeout .Does that mean that if i am browsing a website for continous 1 hr , the HTTP Connection built will be
forcefully terminated ?? In my opinion it is not the session timeout (which probably exists only in the cisco vpn scnearios) and it is the idle timeout only.
Please clarify my query .
2) If customer request that he wants the tcp timeout [timeout conn] to be globally set for 10 hrs (inspite of explaining him the benefit of MPF commands and consider that he doesnot agree for that , even after explaining that it may also lead to memory issues ) , then in that case is it necessary that we have to change the timeout xlate as well .The reason is that i believe in the defaults settings also, the xlate timeout is higher than the timeout conn , that means that when translations will time out , it has to build a new conenction again no matter for how long the "timeout conn" is set to .Please correct me if i am wrong
3) What is the role of reset and DCD in the MPF settings of "set connection timeout tcp ..."
1) You are absolutely correct with the 2 timeout commands:
- set connection timeout idle 0:0:0 reset --> MPF for specific TCP traffic defined in class-map
- timeout conn --> global idle timeout for TCP traffic
What your colleague means by TCP session is a TCP session from the 3 way handshake (SYN, SYN-ACK, ACK), until the connection is torn down (FIN, FIN-ACK). If web browsing initiates multiple TCP session (some webservers are not just static 1 page), then the idle timeout will be for each TCP session.
2) Xlate timeout does not need to be set higher than the connection timeout. As long as the connection still exists in the connection table, the xlate will also be active. The reason why default xlate timeout is higher than the default connection timeout is to keep the xlate in the xlate table for a slightly longer period. However, if you are going to increase the TCP idle timeout to 10 hours, then I would just leave the xlate to be either the same or even keeping it as default as it does not matter as long as there is active connections.
3) Reset basically sends a RST packet towards both source and destination hosts to gracefully tear down the TCP connection on both hosts instead of silently just tearing down the TCP connection in the firewall.
DCD is an extension of the idle timeout. After the idle timeout expires, with DCD configured, the firewall will make sure that it is really an idle connection by sending a DCD packet to each end of the hosts. If both hosts don't response, then the connection will be torn down, and vice versa, if host still response, the connection will be kept alive, and the idle timeout clock will be reset.
Hope that helps.