cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1859
Views
0
Helpful
3
Replies

asa UDP timeout's not honoured

john
Level 1
Level 1

Hi,

We have an issue with timeout values not working Version 8.2(3)  and Version 8.3(2)

timeout conn 0:30:00 half-closed 0:10:00 udp 0:01:00 icmp 0:00:02

asa# sh conn | include UDP  
UDP **** *.*.*.*:54631 **** *.*.*.*:161, idle 0:59:16, bytes 714, flags -
asa# sh conn | include ICMP
ICMP **** *.*.*.*:512 **** *.*.*.*:0, idle 0:55:39, bytes 66
The problem being we have a huge number sessions because of this.
Any ideas ?
John

3 Replies 3

mirober2
Cisco Employee
Cisco Employee

Hi John,

Can you post the output of the following commands:

'show run class-map'

'show run policy-map'

'show run service-policy'

'show run sysopt'

'show run flow-export'

We would want to check if you have any custom timeouts configured via MPF. Also, there is a bug with a combination of sysopt and flow-export commands that hold connections open forever. The above output would help us rule out both of these.

-Mike

Thanks Mike.

aasa# show run class-map

!

class-map defaut

class-map global-class

match default-inspection-traffic

class-map type inspect http match-all asdm_high_security_methods

match not request method head

match not request method get

class-map outside-class

match access-list outside_mpc

!

asa#  show run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 4096
policy-map global_policy
policy-map outside-policy
class outside-class
  set connection per-client-max 1024 per-client-embryonic-max 256
policy-map global-policy
class global-class
  inspect dns
  inspect ftp
  inspect icmp
  inspect icmp error
policy-map type inspect esmtp Custom
parameters
  no mask-banner
match MIME filename length gt 255
  drop-connection log
match sender-address length gt 320
  drop-connection log
match cmd RCPT count gt 100
  drop-connection log
match body line length gt 998
  log
match cmd line length gt 512
  drop-connection log
asa# show run service-policy
service-policy global-policy global
service-policy outside-policy interface outside
asa# show run sysopt
sysopt connection preserve-vpn-flows
asa# show run flow-export
asa#
John

mirober2
Cisco Employee
Cisco Employee

Hi John,

This seems to be a bug, so I would recommend opening up a TAC case so it can be investigated.

-Mike

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: