Re : To make ports never to timeout

Answered Question
Jul 12th, 2010

Hi,

I would like to verify if the below is the right configuration for the ports not to time out,  therefore it will never timeout the connection.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

access-list ACL1-in extended permit tcp object-group Desktops_Users object-group AIC_Servers object-group AVAYA-AIC_agent_app
!
class-map AIC_Agent_Servers
   match access-list ACL1-in
!
policy-map AIC_Agent
    class AIC_Agent_Servers
         set connection timeout tcp 0
!
!
service-policy AIC_Agent global
!

!

Pls advice,

!

Cheers,
-SN-

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 4 months ago

That's absolutely correct except the last command where you have to apply the service-policy to a specific interface depending on the direction of the traffic, because I believe there should already be a global_policy by default applied to global policy as you can't apply 2 global policy globally.

If you check with "sh run service-policy", it will show you if you already have an existing policy. Otherwise, if you haven't had a global policy, you can apply it. Or else, just apply it to the specific interface.

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Mon, 07/12/2010 - 00:58

That's absolutely correct except the last command where you have to apply the service-policy to a specific interface depending on the direction of the traffic, because I believe there should already be a global_policy by default applied to global policy as you can't apply 2 global policy globally.

If you check with "sh run service-policy", it will show you if you already have an existing policy. Otherwise, if you haven't had a global policy, you can apply it. Or else, just apply it to the specific interface.

Hope that helps.

sanjay.nadarajah Tue, 07/13/2010 - 18:04

Hi Halijenn,

Yes you are right, there is an existing default global policy  on the ASA that is called global_policy.

So I would need to add this on the interface.

The difference that I see here that the service-policy would need to be entered on the interface without the input/output word compared if I were to enter

the service-policy on a router.

Thanks once again for your response.

Cheers,

-SN-

game123 Tue, 07/13/2010 - 19:59

Can i use the same commands to work under INTERFACE POLICY ?

Meaning, can i use same logic always for both global and interface policy ????

( i know only 1 will be active at one time, and if interface policy exists with global policy, interface policy takes precedence...! )

sanjay.nadarajah Tue, 07/13/2010 - 20:17

Yeap,  the doco says you can and so does halijann. If you apply to the interface, it only effects at the interface level and if it is applied globally then it would effect all packets that hits all interfaces on the FW.

The other way that I can think of doing it is adding additional class-maps and then call it from the existing global policy.

I believe this should work as well.

Cheers,

-SN-

Actions

This Discussion