I have two separate Unix servers behind a CSS running v8.1. They are accessed via Content/Service rules from client workstations with a one to one mapping between the Content Rules/Services.
When we SSH to one server the SSH connection never times out. On the other server it seems to time out after about an hour.
I've shown I can resolve the ssh timeout on the "broken" server by setting a flow timeout multiplier of 0 for the appropriate content rule. The ssh connection is no longer timed out.
On the first server where ssh connections weren't timed out - I found that the tcp_keepidle and tcp_keep_intvl were set to much lower values (5mins for tcp_keepidle and 5 sec for tcp_keepintvl).
On the second server where the SSH connections timed out, the tcp_keepidle and tcp_keepintvl were set to much larger values of 2 hours and 75 sec respectively.
Armed with the information that the default tcp timeout for the CSS is 16 seconds - I'm struggling to explain how SSH connections to the first server don't timeout in the same way. Since the tcp_keepidle time on the server (which I believe to be the time between the connection becoming idle and the point at which the server begins to send keep-alives) is greater than the default CSS flow timeout.
Is there an internal "minimum flow lifetime" that the CSS respects?
This document will provide screenshots to outline the steps to setup
TACACS+ configuration to ACI and also the configuration required on
Cisco ACS server. Please find the official Cisco guide for configuring
TACACS+ Authentication to ACI:
Is it supported or NOT supported? It's a frequently asked question.
Before APIC, release 2.3(1f), transit routing was not supported within a
single L3Out profile. In APIC, release 2.3(1f) and later, you can
configure transit routing with a single L3Out pr...
Cisco Documents are usually accurate, but when it came to the document
on Cisco APIC Signature-Based Transactions it was slightly off the mark.
This document is for those novices to API like me who cant seem to
figure out how to go about performing signat...