Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

asa UDP timeout's not honoured

Hi,

We have an issue with timeout values not working Version 8.2(3)  and Version 8.3(2)

timeout conn 0:30:00 half-closed 0:10:00 udp 0:01:00 icmp 0:00:02

asa# sh conn | include UDP  
UDP **** *.*.*.*:54631 **** *.*.*.*:161, idle 0:59:16, bytes 714, flags -
asa# sh conn | include ICMP
ICMP **** *.*.*.*:512 **** *.*.*.*:0, idle 0:55:39, bytes 66
The problem being we have a huge number sessions because of this.
Any ideas ?
John

  • Firewalling
3 REPLIES
Cisco Employee

Re: asa UDP timeout's not honoured

Hi John,

Can you post the output of the following commands:

'show run class-map'

'show run policy-map'

'show run service-policy'

'show run sysopt'

'show run flow-export'

We would want to check if you have any custom timeouts configured via MPF. Also, there is a bug with a combination of sysopt and flow-export commands that hold connections open forever. The above output would help us rule out both of these.

-Mike

New Member

Re: asa UDP timeout's not honoured

Thanks Mike.

aasa# show run class-map

!

class-map defaut

class-map global-class

match default-inspection-traffic

class-map type inspect http match-all asdm_high_security_methods

match not request method head

match not request method get

class-map outside-class

match access-list outside_mpc

!

asa#  show run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 4096
policy-map global_policy
policy-map outside-policy
class outside-class
  set connection per-client-max 1024 per-client-embryonic-max 256
policy-map global-policy
class global-class
  inspect dns
  inspect ftp
  inspect icmp
  inspect icmp error
policy-map type inspect esmtp Custom
parameters
  no mask-banner
match MIME filename length gt 255
  drop-connection log
match sender-address length gt 320
  drop-connection log
match cmd RCPT count gt 100
  drop-connection log
match body line length gt 998
  log
match cmd line length gt 512
  drop-connection log
asa# show run service-policy
service-policy global-policy global
service-policy outside-policy interface outside
asa# show run sysopt
sysopt connection preserve-vpn-flows
asa# show run flow-export
asa#
John

Cisco Employee

Re: asa UDP timeout's not honoured

Hi John,

This seems to be a bug, so I would recommend opening up a TAC case so it can be investigated.

-Mike

1548
Views
0
Helpful
3
Replies