By default the ASA/FWSM gets the following timeout lines.
07-13-2010 12:46 PM - edited 03-11-2019 11:11 AM
I'm having a problem where video conferences are timing out after 2 hours and 12 minutes consistently. I've located a number of solutions for adjusting the h323 timer on a PIX in order to solve this problem. My issue, is that I don't have a PIX, but a 3845 router running IOS
How can I perform the equivalent command on IOS that you would perform on a PIX, which is:
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 0:00:00
timeout h323 16:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
07-14-2010 06:05 AM
Chris,
Just to confirm, what IOS firewall are you using? If you are using CBAC, 'ip inspect tcp idle-time
CBAC 'ip inspect tcp idle-time':
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i2.html#wp1050108
ZBF 'tcp idle-time':
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_t1.html#wp1059257
By default, these are set to 3600 seconds.
If this addresses your question, please let us and other NetPro users know by marking this question as answered.
Best Regards,
Kevin
07-16-2010 05:00 PM
I do not think this is a tcp idle timeout issue? I am currently experiencing the same problems with an inter company Pix firewall which I do not have access to. what version IOS are you running?
I also ran into the same problem 6 years back - The VC would time-out after 1:59:59. Along with the session timing out because it had reached 2 hour mark, hitting the mute button on the VC unit also caused the session to drop. The FW at that time was a Checkpoint and an upgrade to SP3 fixed the issue.
The dafult TCP timeout setting of 1 hour is being talked about here is for an "idle connection"
07-17-2010 07:14 AM
please increase the tcp idle timeout to more than 2 hrs. this happens in stateful firewalls as in video conferencing every 2 hrs a packet(something like keep alive) is sent, i dont exactly remember the name but i think it happens on port 1720 or something like that. so if the timeout is less than 2 hrs the keep alive is droped and connection terminates
one option would be allowing the ports required for video conferencing in both directions
07-19-2010 10:20 AM
The tcp idle timeout is not the problem:
By default the ASA/FWSM gets the following timeout lines.
07-19-2010 10:24 AM
exactly, that is what i was refering to and i have seen it happen before when the conn timeout is less than 2 hrs
05-29-2016 12:16 AM
Hi Chris,
How did you fix this issue?
--
Filippo
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: