Reg. TCP timeouts in ASA

Answered Question
Jun 24th, 2010
User Badges:

Hi halijenn/ experts


i have a query related to ASA timeouts specifically the comparison of the "timeout conn" and the MPF config which is specifically related to modifying the idle timeout value for certain set of traffic (class-maps).I have already gone through all the documents and here are my queries


1) If the customer wants that he requires that a certain set of traffic never expires and remain alive althrough then is it possible as per below


access-list oracle-traffic permit tcp host 172.18.1.1 host 192.168.46.21
access-list oracle-traffic permit tcp host 192.168.46.21 host 172.18.1.1

class-map test
match access-list oracle-traffic
exit

policy-map global_policy
class test
  set connection timeout tcp 0:0:0 reset


What is exactly global "timeout conn " .I believe that it is idle timeout for the TCP Connection . Please correct me if i am wrong .Is the " timeout conn"
mentioned globally and "set connection timeout tcp (or idle in the new ASA s/w version) " have the same meaning ? I have heard some of my peers
saying that 'timeout conn" is session timeout .Does that mean that if i am browsing a website for continous 1 hr , the HTTP Connection built will be
forcefully terminated ?? In my opinion it is not the session timeout (which probably exists only in the cisco vpn scnearios) and it is the idle timeout only.
Please clarify my query .


2) If customer request that he wants the tcp timeout [timeout conn] to be globally set for 10 hrs (inspite of explaining him the benefit of MPF commands and consider that he doesnot agree for that , even after explaining that it may also lead to memory issues ) , then in that case is it necessary that we have to change the timeout xlate as well .The reason is that i believe in the defaults settings also,  the xlate timeout is higher than the timeout conn , that means that when translations will time out , it has to build a new conenction again no matter for how long the "timeout conn" is set to .Please correct me if i am wrong


3) What is the role of reset and DCD in the MPF settings of  "set connection timeout tcp ..."

Correct Answer by Jennifer Halim about 6 years 11 months ago

Hi Ankur,


1) You are absolutely correct with the 2 timeout commands:

- set connection timeout idle 0:0:0 reset --> MPF for specific TCP traffic defined in class-map

- timeout conn --> global idle timeout for TCP traffic


What your colleague means by TCP session is a TCP session from the 3 way handshake (SYN, SYN-ACK, ACK), until the connection is torn down (FIN, FIN-ACK). If web browsing initiates multiple TCP session (some webservers are not just static 1 page), then the idle timeout will be for each TCP session.


2) Xlate timeout does not need to be set higher than the connection timeout. As long as the connection still exists in the connection table, the xlate will also be active. The reason why default xlate timeout is higher than the default connection timeout is to keep the xlate in the xlate table for a slightly longer period. However, if you are going to increase the TCP idle timeout to 10 hours, then I would just leave the xlate to be either the same or even keeping it as default as it does not matter as long as there is active connections.


3) Reset basically sends a RST packet towards both source and destination hosts to gracefully tear down the TCP connection on both hosts instead of silently just tearing down the TCP connection in the firewall.

DCD is an extension of the idle timeout. After the idle timeout expires, with DCD configured, the firewall will make sure that it is really an idle connection by sending a DCD packet to each end of the hosts. If both hosts don't response, then the connection will be torn down, and vice versa, if host still response, the connection will be kept alive, and the idle timeout clock will be reset.


Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Marcin Latosiewicz Thu, 06/24/2010 - 02:30
User Badges:
  • Cisco Employee,

Ad.1 We're talking about idle time. If you do "show conn detail" you will see idle timer on existing connections.


Ad.2 It is not necessary to change xlate timeout. Xlates should only timeout once existing connections pertaining to that xlate timeout.


Ad.3
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1429883


I have never sniffed this traffic, but basically should work like TCP keepalive.



On a general note. Moving timeout for any connection or xlate to 0:0:0 is asking for trouble. You will run out of resources and yes ASA allows this and will eventually stop allowing new connections.

Correct Answer
Jennifer Halim Thu, 06/24/2010 - 02:34
User Badges:
  • Cisco Employee,

Hi Ankur,


1) You are absolutely correct with the 2 timeout commands:

- set connection timeout idle 0:0:0 reset --> MPF for specific TCP traffic defined in class-map

- timeout conn --> global idle timeout for TCP traffic


What your colleague means by TCP session is a TCP session from the 3 way handshake (SYN, SYN-ACK, ACK), until the connection is torn down (FIN, FIN-ACK). If web browsing initiates multiple TCP session (some webservers are not just static 1 page), then the idle timeout will be for each TCP session.


2) Xlate timeout does not need to be set higher than the connection timeout. As long as the connection still exists in the connection table, the xlate will also be active. The reason why default xlate timeout is higher than the default connection timeout is to keep the xlate in the xlate table for a slightly longer period. However, if you are going to increase the TCP idle timeout to 10 hours, then I would just leave the xlate to be either the same or even keeping it as default as it does not matter as long as there is active connections.


3) Reset basically sends a RST packet towards both source and destination hosts to gracefully tear down the TCP connection on both hosts instead of silently just tearing down the TCP connection in the firewall.

DCD is an extension of the idle timeout. After the idle timeout expires, with DCD configured, the firewall will make sure that it is really an idle connection by sending a DCD packet to each end of the hosts. If both hosts don't response, then the connection will be torn down, and vice versa, if host still response, the connection will be kept alive, and the idle timeout clock will be reset.


Hope that helps.

ankurs2008 Thu, 06/24/2010 - 03:28
User Badges:

excellent explanation !!! thanks a lot , i may have few more questions on the same as i am about to implement one or 2 scenarios ,

shamax_1983 Wed, 05/22/2013 - 18:44
User Badges:
  • Bronze, 100 points or more

Thanks for the nice explanation.

Actions

This Discussion