×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ACE - TCP 60 minute idle timer?

Unanswered Question
Jan 24th, 2007
User Badges:
  • Bronze, 100 points or more

Hi Gilles,


is there a tcp idle timeout with exact 60 minutes within ACE Software for NON LB connections?

I have a certain TCP Connection from a FrontendServer to a certain Backend Server which gets a TCP RST every 60 minutes.

The application guys blame the network for this tcp reset. In my opinion all the timing values which are e.g. set in a connection map are only for the Ports designated within the corresponding loadbalancing rules.

So if i am not wrong any other connection traversing the ACE module should be treated as "simple" connection over any other layer 2/3 switch in a network with the exception that the ace is in charge for the routing of this network.

As i am not hundert percent sure that there isn't a timer comparable to the xlate timeout on PIX or ASA for idle sessions i thought maybe you have an idea.

Have a look at the attached textfile.


Thanks for reading


Roble




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Roble Mumin Fri, 02/02/2007 - 05:24
User Badges:
  • Bronze, 100 points or more

Just found what i have been looking for.


Quote:

The seconds argument specifies the time period after which the ACE disconnects idle established connections. Enter an integer from 0 to 4294967294 seconds. The defaults are:


?ICMP?2 seconds


?TCP?3600 seconds (1 hour)


?UDP?120 seconds (2 minutes)


http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080686bc5.html#wp1074289

mplatise Mon, 03/03/2008 - 14:32
User Badges:

Hi,


I can not open those links. Not available.

I have simmilar problem.

Oracle app servers behind ACE opens sessions to the database through the ACE back into the C6K Vlan. Those connections timed out and app sessions are dropped.

I can not find any option to change TCP timeout parameters for TCP sessions not load balanced but just routed or bridged.


Regards

Metod

Gilles Dufour Tue, 03/04/2008 - 01:12
User Badges:
  • Cisco Employee,

you can catch the connections opened by your servers with an acl inside a class-map.

Then create a policy-map multimatch, use your class-map and set the connection parameter-map with the idle timeout value set to the value that you need.


Gilles.

CCampbell_2 Thu, 01/29/2009 - 23:28
User Badges:

Metod, did you ever have any luck with this? I'm running A2.1.3 and am running into the exact same problem.


Have even changed my tcp timeouts to 8 hours and still odd connection drops.



mplatise Thu, 02/12/2009 - 05:14
User Badges:

Hi,


I have filtered ot the hosts with ACL. Here is the part of the config.


----------------------------------


access-list ORADB line 8 extended permit tcp any


parameter-map type connection TIMEOUT

set timeout inactivity 43200


class-map match-all APP_TO_ORADB

2 match access-list ORADB


policy-map multi-match TCP_POLICY_ORADB

class APP_TO_ORADB

connection advanced-options TIMEOUT



interface vlan 220

description SERVER site

...

service-policy input TCP_POLICY_ORADB

...

andreabat72 Sat, 10/01/2011 - 08:25
User Badges:

Hi,

good information, but i have a doubt.

I have an existing policy L3/L4 multi-match like the one below.

I   would like to increase the inactivity timeout on every TCP  connections.  Can i nest the new class map (match all) to my policy-map,  as shown  below in bold?

This can create problems for the existing policy?

Can you confirm me that i can apply only one L3L4 policy map to the interface Vlan?

In necessary to remove and apply the policy to see the effect of the new timeout?

Thanks in advance

Best Regards



policy-map multi-match L4_VIP3_POLICY

  description Multi-Match VIPs on Vlan 18 to ServerFarms

  class L4-FARM-RDP

    loadbalance vip inservice

    loadbalance policy L7-FARM-RDP

    loadbalance vip icmp-reply active

  class L4-FARM-RDP-TOKYO

    loadbalance vip inservice

    loadbalance policy L7-FARM-RDP-TOKYO

    loadbalance vip icmp-reply active

  class L4-FARM-RDP-NY

    loadbalance vip inservice

    loadbalance policy L7-FARM-RDP-NY

    loadbalance vip icmp-reply active

  class L4-FARM-RDP-KUALA

    loadbalance vip inservice

    loadbalance policy L7-FARM-RDP-KUALA

    loadbalance vip icmp-reply active

  class L4-FARM-RDP-NY

    loadbalance vip inservice

    loadbalance policy L7-FARM-RDP-NY

    loadbalance vip icmp-reply active


  class TCP-CLASS

     connection advanced TCP-PARAM


where:


parameter-map type connection TCP-PARAM

set timeout inactivity 36000


class-map match-all TCP-CLASS

  match port tcp any

mplatise Sat, 10/01/2011 - 15:06
User Badges:

Hi,


It is quite some time when I was dealing with this problem, so my answer is not really accurate.

I think you can add an additional class/class-map definition into existing policy-map without a problem.

As far as I remember you can put more policy maps to the interface, but I am not sure neither I know how they are processed then.

I also think you don't need to remove it and reapply.


But if you want to change the connection timeout parameter for all connections, then the easiest way is to do it globally with the command

set timeout inactivity seconds.

You can find more detailes in the configuration guide:

http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/tcpipnrm.html#wp1074289


I hope this is somehow helpful

Best regards,

Metod

acharyr123 Sun, 10/02/2011 - 05:14
User Badges:

Yes.It should work post you apply the command.



Rgds,

andreabat72 Fri, 10/07/2011 - 04:56
User Badges:

Hi,

thanks for your interest, i found the correct solution.

You can enter the parameter map into existing class-map if you want to change only the timeout of these connections, as shown below (OUTPUT1).

Il you want to change the timeout for all sessions, you can add a class map as indicated in OUTPUT2.

You can filter with an ACL, to select the correct traffic.

Regards


OUTPUT1

policy-map multi-match L4_VIP3_POLICY

  class L4-FARM-RDP-NY

    loadbalance vip inservice

    loadbalance policy L7-FARM-RDP-NY

    loadbalance vip icmp-reply active

    connection advanced TCP-PARAM

  class L4-FARM-RDP-KUALA

    loadbalance vip inservice

    loadbalance policy L7-FARM-RDP-KUALA

    loadbalance vip icmp-reply active

    connection advanced TCP-PARAM


where:

parameter-map type connection TCP-PARAM

set timeout inactivity 86400


OUTPUT2

policy-map multi-match L4_VIP3_POLICY

  class TCP-CLASS

     connection advanced TCP-PARAM

  class L4-FARM-RDP-NY

    loadbalance vip inservice

    loadbalance policy L7-FARM-RDP-NY

    loadbalance vip icmp-reply active

  class L4-FARM-RDP-KUALA

    loadbalance vip inservice

    loadbalance policy L7-FARM-RDP-KUALA

    loadbalance vip icmp-reply active


where:

parameter-map type connection TCP-PARAM

set timeout inactivity 86400


class-map match-all TCP-CLASS

  match port tcp any

acharyr123 Thu, 02/12/2009 - 04:25
User Badges:

Hi,


I was facing similar issues where as after 1 Hr all sorts of connections used to get dropped. Please do the below modifications to avoid this scenario:

=========================================

parameter-map type connection TCP

set timeout inactivity 86400

parameter-map type connection UDP

set timeout inactivity 86400


policy-map multi-match TCP-UDP-TIMEOUTS

class TCP-Connection

connection advanced-options TCP

class UDP-Connection

connection advanced-options UDP


service-policy input TCP-UDP-TIMEOUTS


Plz rate if it helps...

aanelso1 Thu, 07/23/2009 - 05:25
User Badges:

We saw a similiar problem with ORACLE connections on TCP port 1521. I believe that the following configuration only sets the TCP inactivety timeout for sourced IP addresses and TCP port 1521 (either direction). Gilles, can you confirm?


parameter-map type connection TCP-IDLE

set timeout inactivity 14400


class-map match-all REAL_SERVERS

2 match source-address 10.15.4.0 255.255.255.0

3 match port tcp eq 1521


policy-map multi-match TCP-INACTIVITY

class REAL_SERVERS

connection advanced-options TCP-IDLE


service-policy input TCP-INACTIVITY



Actions

This Discussion