Cisco Support Community
Community Member

flow permanent port on 11K

Curious if anyone has had issues with the flow permanent port configuration on the 11K.

We have a, not so well built, application that seems to have issues with properly closing sessions with (FIN or RST). Therefore, the app owners want a permanent flow statement on the 11K. I have already used the flow-timeout multiplier statement 112 which is 30 minuites, but the app owners say they are still having issues.

My concern is that my load balancer will be affected if I use this flow permanent port setting and the app or client never close the session.


Re: flow permanent port on 11K

Hi Scott,

The main concern when you use flow permanent or flow timeout multiplier is the starvation of resources on the CSS.

If you need to use these commands, you need to consider how the application behaves and what are your clients needs before making a decision about how long the flow should be idle without the CSS reciclying it.

For example, if your users needs to be logged during the whole day, you might want to configure the flow timeout to 8 hours, so the flows are clean by the end of the day.

Try not to use the flow permanent, as it is likely that flows would remain idle for long periods of time.

Using the flow timeout command on the content rule needs the consideration of the amount of users per day that hit that content rule and also, at least at the beggining of the deployment, needs that you monitor the CSS' CPU and available flows.

Thanks & Regards,


CreatePlease to create content