Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Super Bronze

ASA-5585-X 8.4(6)5 Idle connections are not being removed according to timeout settings



Just a quick question if anybody has run into a bug where the ASAs "timeout" settings are not being applied to idle connections.


It seems that our ASA running the software level 8.4(6)5 is not tearing down connections. This mainly seems to be a problem in one Security Context where there are around 300k UDP connections (related to VOIP phones) that are not being torn down. Idle timers on the connections are going as far as 700 hours. Common to all the UDP connections is also the fact that only 19 Bytes of data has been transmitted on the connection built on the firewall. I am not sure what the purpose of these UDP Connections is as both the source and destination port is a random high port.


I was not able find any Bug ID which description would match the situation I am seeing. I did not see anything in the release notes of 8.4(7) or its interrim release either that would list thing kind of bug.


- Jouni

Cisco Employee

Hi Jouni,This caveat seems to

Hi Jouni,

This caveat seems to be the closest match as 8.4.6 is the affected ASA code.

Some connection may not removed even after reaching idle timeout.

You can upgrade to the next stable ASA code as suggested in the referred document.



Dinesh Moudgil

P.S. Please rate helpful posts.



Super Bronze

Hi, Sorry for the VERY late



Sorry for the VERY late reply to your post :)


The BugID mentioned above is probably the problem in our case.


We will have to check what software level to upgrade to. One of the listed softwares we already tried previously with very bad results (ASA became nearly unusable). Seems we need to consider moving to some 9.x software level. Hopefully with less problems than we have had with the most recent 8.4(x) software levels.


- Jouni

Cisco Employee

Jouni, I am glad I was able



I am glad I was able to help you. Moreover, requirements for 8.X and 9.X are same in terms of memory so you can surely upgrade to 9.x which caters to more features for VPN and non VPN deployments.

Dinesh Moudgil

CreatePlease login to create content