Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Best pratices to set Timers in CDA + WSA

I'm deploying  WSA in transparent mode with WCCP redirection from ASA.
Everything is OK, but I would like to know the best practices to setup the correct Time to avoid mismatch of ip-mapping.

In WSA the parameter possible are:

Credential Cache Options:

a) Surrogate Timeout:  value to setup
b) Client IP Idle Timeout:  value to setup

over CDA the paramentes possible are:

c) dcStatusTime
d) dcHistoryTime
e) userLogonTTL

can you suggest ?
Further, What are happen if I set more or less this value? what is risk about it?

thanks for support.



Everyone's tags (1)
New Member

- On CDA, we changed the

- On CDA, we changed the History timer to  60mins so that after every 60mins, the CDA clears out the User-to-IP mapping cache and checks with the AD to get the new mapping. This setting would lower down the false positives on the WSA as CDA would have more updated mapping.
However we should not lower down this value too much otherwise CDA would requery the AD more frequently and thus would increase the load on the CDA as well as on the Active Directory might also result in performance issues on the CDA.

- As per the customer request, we have configured re-authentication timer to 20mins on the WSA ( tuiconfig command). This would enable the WSA to clear out the user's session every 20mins and would ask the end user to reauthenticate.
Please note, most of the web browsers cache the user credentials and thus reply to the WSA's re-authentication request with the cached credentials. This enables the user to have a seemless working environment without being prompted for re-authenticate again and again, without being aware that re-authentication has already happened in the background.

CreatePlease login to create content