cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3859
Views
0
Helpful
12
Replies

ACE - TCP 60 minute idle timer?

Roble Mumin
Level 3
Level 3

Hi Gilles,

is there a tcp idle timeout with exact 60 minutes within ACE Software for NON LB connections?

I have a certain TCP Connection from a FrontendServer to a certain Backend Server which gets a TCP RST every 60 minutes.

The application guys blame the network for this tcp reset. In my opinion all the timing values which are e.g. set in a connection map are only for the Ports designated within the corresponding loadbalancing rules.

So if i am not wrong any other connection traversing the ACE module should be treated as "simple" connection over any other layer 2/3 switch in a network with the exception that the ace is in charge for the routing of this network.

As i am not hundert percent sure that there isn't a timer comparable to the xlate timeout on PIX or ASA for idle sessions i thought maybe you have an idea.

Have a look at the attached textfile.

Thanks for reading

Roble

12 Replies 12

Roble Mumin
Level 3
Level 3

Just found what i have been looking for.

Quote:

The seconds argument specifies the time period after which the ACE disconnects idle established connections. Enter an integer from 0 to 4294967294 seconds. The defaults are:

?ICMP?2 seconds

?TCP?3600 seconds (1 hour)

?UDP?120 seconds (2 minutes)

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080686bc5.html#wp1074289

Hi,

I can not open those links. Not available.

I have simmilar problem.

Oracle app servers behind ACE opens sessions to the database through the ACE back into the C6K Vlan. Those connections timed out and app sessions are dropped.

I can not find any option to change TCP timeout parameters for TCP sessions not load balanced but just routed or bridged.

Regards

Metod

you can catch the connections opened by your servers with an acl inside a class-map.

Then create a policy-map multimatch, use your class-map and set the connection parameter-map with the idle timeout value set to the value that you need.

Gilles.

Metod, did you ever have any luck with this? I'm running A2.1.3 and am running into the exact same problem.

Have even changed my tcp timeouts to 8 hours and still odd connection drops.

Hi,

I have filtered ot the hosts with ACL. Here is the part of the config.

----------------------------------

access-list ORADB line 8 extended permit tcp any

parameter-map type connection TIMEOUT

set timeout inactivity 43200

class-map match-all APP_TO_ORADB

2 match access-list ORADB

policy-map multi-match TCP_POLICY_ORADB

class APP_TO_ORADB

connection advanced-options TIMEOUT

interface vlan 220

description SERVER site

...

service-policy input TCP_POLICY_ORADB

...

Hi,

good information, but i have a doubt.

I have an existing policy L3/L4 multi-match like the one below.

I   would like to increase the inactivity timeout on every TCP  connections.  Can i nest the new class map (match all) to my policy-map,  as shown  below in bold?

This can create problems for the existing policy?

Can you confirm me that i can apply only one L3L4 policy map to the interface Vlan?

In necessary to remove and apply the policy to see the effect of the new timeout?

Thanks in advance

Best Regards

policy-map multi-match L4_VIP3_POLICY

  description Multi-Match VIPs on Vlan 18 to ServerFarms

  class L4-FARM-RDP

    loadbalance vip inservice

    loadbalance policy L7-FARM-RDP

    loadbalance vip icmp-reply active

  class L4-FARM-RDP-TOKYO

    loadbalance vip inservice

    loadbalance policy L7-FARM-RDP-TOKYO

    loadbalance vip icmp-reply active

  class L4-FARM-RDP-NY

    loadbalance vip inservice

    loadbalance policy L7-FARM-RDP-NY

    loadbalance vip icmp-reply active

  class L4-FARM-RDP-KUALA

    loadbalance vip inservice

    loadbalance policy L7-FARM-RDP-KUALA

    loadbalance vip icmp-reply active

  class L4-FARM-RDP-NY

    loadbalance vip inservice

    loadbalance policy L7-FARM-RDP-NY

    loadbalance vip icmp-reply active

  class TCP-CLASS

     connection advanced TCP-PARAM

where:

parameter-map type connection TCP-PARAM

set timeout inactivity 36000

class-map match-all TCP-CLASS

  match port tcp any

Hi,

It is quite some time when I was dealing with this problem, so my answer is not really accurate.

I think you can add an additional class/class-map definition into existing policy-map without a problem.

As far as I remember you can put more policy maps to the interface, but I am not sure neither I know how they are processed then.

I also think you don't need to remove it and reapply.

But if you want to change the connection timeout parameter for all connections, then the easiest way is to do it globally with the command

set timeout inactivity seconds.

You can find more detailes in the configuration guide:

http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/tcpipnrm.html#wp1074289

I hope this is somehow helpful

Best regards,

Metod

Yes.It should work post you apply the command.

Rgds,

Hi,

thanks for your interest, i found the correct solution.

You can enter the parameter map into existing class-map if you want to change only the timeout of these connections, as shown below (OUTPUT1).

Il you want to change the timeout for all sessions, you can add a class map as indicated in OUTPUT2.

You can filter with an ACL, to select the correct traffic.

Regards

OUTPUT1

policy-map multi-match L4_VIP3_POLICY

  class L4-FARM-RDP-NY

    loadbalance vip inservice

    loadbalance policy L7-FARM-RDP-NY

    loadbalance vip icmp-reply active

    connection advanced TCP-PARAM

  class L4-FARM-RDP-KUALA

    loadbalance vip inservice

    loadbalance policy L7-FARM-RDP-KUALA

    loadbalance vip icmp-reply active

    connection advanced TCP-PARAM

where:

parameter-map type connection TCP-PARAM

set timeout inactivity 86400

OUTPUT2

policy-map multi-match L4_VIP3_POLICY

  class TCP-CLASS

     connection advanced TCP-PARAM

  class L4-FARM-RDP-NY

    loadbalance vip inservice

    loadbalance policy L7-FARM-RDP-NY

    loadbalance vip icmp-reply active

  class L4-FARM-RDP-KUALA

    loadbalance vip inservice

    loadbalance policy L7-FARM-RDP-KUALA

    loadbalance vip icmp-reply active

where:

parameter-map type connection TCP-PARAM

set timeout inactivity 86400

class-map match-all TCP-CLASS

  match port tcp any

acharyr123
Level 3
Level 3

Hi,

I was facing similar issues where as after 1 Hr all sorts of connections used to get dropped. Please do the below modifications to avoid this scenario:

=========================================

parameter-map type connection TCP

set timeout inactivity 86400

parameter-map type connection UDP

set timeout inactivity 86400

policy-map multi-match TCP-UDP-TIMEOUTS

class TCP-Connection

connection advanced-options TCP

class UDP-Connection

connection advanced-options UDP

service-policy input TCP-UDP-TIMEOUTS

Plz rate if it helps...

aanelso1
Level 1
Level 1

We saw a similiar problem with ORACLE connections on TCP port 1521. I believe that the following configuration only sets the TCP inactivety timeout for sourced IP addresses and TCP port 1521 (either direction). Gilles, can you confirm?

parameter-map type connection TCP-IDLE

set timeout inactivity 14400

class-map match-all REAL_SERVERS

2 match source-address 10.15.4.0 255.255.255.0

3 match port tcp eq 1521

policy-map multi-match TCP-INACTIVITY

class REAL_SERVERS

connection advanced-options TCP-IDLE

service-policy input TCP-INACTIVITY

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: