asa UDP timeout's not honoured

Unanswered Question

Hi,

We have an issue with timeout values not working Version 8.2(3)  and Version 8.3(2)

timeout conn 0:30:00 half-closed 0:10:00 udp 0:01:00 icmp 0:00:02

asa# sh conn | include UDP  
UDP **** *.*.*.*:54631 **** *.*.*.*:161, idle 0:59:16, bytes 714, flags -
asa# sh conn | include ICMP
ICMP **** *.*.*.*:512 **** *.*.*.*:0, idle 0:55:39, bytes 66
The problem being we have a huge number sessions because of this.
Any ideas ?
John
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mirober2 Sun, 10/03/2010 - 08:18

Hi John,

Can you post the output of the following commands:

'show run class-map'

'show run policy-map'

'show run service-policy'

'show run sysopt'

'show run flow-export'

We would want to check if you have any custom timeouts configured via MPF. Also, there is a bug with a combination of sysopt and flow-export commands that hold connections open forever. The above output would help us rule out both of these.

-Mike

Thanks Mike.

aasa# show run class-map

!

class-map defaut

class-map global-class

match default-inspection-traffic

class-map type inspect http match-all asdm_high_security_methods

match not request method head

match not request method get

class-map outside-class

match access-list outside_mpc

!

asa#  show run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 4096
policy-map global_policy
policy-map outside-policy
class outside-class
  set connection per-client-max 1024 per-client-embryonic-max 256
policy-map global-policy
class global-class
  inspect dns
  inspect ftp
  inspect icmp
  inspect icmp error
policy-map type inspect esmtp Custom
parameters
  no mask-banner
match MIME filename length gt 255
  drop-connection log
match sender-address length gt 320
  drop-connection log
match cmd RCPT count gt 100
  drop-connection log
match body line length gt 998
  log
match cmd line length gt 512
  drop-connection log
asa# show run service-policy
service-policy global-policy global
service-policy outside-policy interface outside
asa# show run sysopt
sysopt connection preserve-vpn-flows
asa# show run flow-export
asa#
John
mirober2 Mon, 10/04/2010 - 12:56

Hi John,

This seems to be a bug, so I would recommend opening up a TAC case so it can be investigated.

-Mike

Actions

This Discussion