05-21-2008 07:19 AM
Hi,
I'm trying to implement a connection parameter on an ACE module that sumply sets the TCP timeout to 0.
I can get this to work fine if I permit all TCP traffic in the class-map, but it doesn't work if I use an ACL;
>>Match all TCP;
parameter-map type connection TCP-Timeout
set timeout inactivity 0
class-map match-all TCP-Timeout-Out-Class
2 match port tcp any
class-map match-all TCP-Timeout-in-Class
2 match port tcp any
policy-map multi-match TCP-Timeout-Out-Policy
class TCP-Timeout-Out-Class
connection advanced-options TCP-Timeout
policy-map multi-match TCP-Timeout-in-Policy
class TCP-Timeout-in-Class
connection advanced-options TCP-Timeout
Interface vlan 920
....
service-policy input TCP-Timeout-in-Policy
Interface vlan 923
....
service-policy input TCP-Timeout-Out-Policy
>>Match ACL;
access-list TCP-Timeout-Group-Out line 10 extended permit ip 10.221.178.0 0.0.0.255 any
access-list TCP-Timeout-Group-in line 10 extended permit ip any 10.221.178.0 0.0.0.255
parameter-map type connection TCP-Timeout
set timeout inactivity 0
class-map match-all TCP-Timeout-Out-Class
match access-list TCP-Timeout-Group-Out
class-map match-all TCP-Timeout-in-Class
match access-list TCP-Timeout-Group-in
policy-map multi-match TCP-Timeout-Out-Policy
class TCP-Timeout-Out-Class
connection advanced-options TCP-Timeout
policy-map multi-match TCP-Timeout-in-Policy
class TCP-Timeout-in-Class
connection advanced-options TCP-Timeout
Interface vlan 320
....
service-policy input TCP-Timeout-in-Policy
Interface vlan 323
....
service-policy input TCP-Timeout-Out-Policy
Any ideas?
Many Thanks
05-21-2008 07:49 AM
Try changing the class-map from "type match-all" to "type match-any". Match all implies both statments need to be true. The match-any is probably what you want. Either of the ACL statements can be true.
Also try to apply the policy globally instead of the interfaces, simplifying the config might help as well.
e.g.:
access-list TCP-Timeout-Group line 10 extended permit ip 10.221.178.0 0.0.0.255 any
access-list TCP-Timeout-Group line 20 extended permit ip any 10.221.178.0 0.0.0.255
class-map match-any TCP-Timeout-Class
match access-list TCP-Timeout-Group
parameter-map type connection TCP-Parameter-Map
set timeout inactivity 0
policy-map multi-match TCP-Timeout-Out-Policy
class TCP-Timeout-Out-Class
connection advanced-options TCP-Parameter-Map
service policy input TCP-Timeout-Out-Policy <- apply it globally
Hope it helps.
Roble
05-21-2008 10:19 AM
Agreed, you should use the match-any as the match-all will need to match both ACL's. Apply it globally and is if works then apply it to the interfaces.
Also, I would change the 2nd ACL to a different name since the traffic is in reverse of the first ACL.
Hope it works..
HTH
05-22-2008 12:17 AM
Thanks for your comments guys, but the ACLs are both named differently, so the match all should only be matching one ACL at a time.
I agree with the point the the service policy could be applied globally though
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: