Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

asa5520 - timeout issue

hi

I have problems with my asa5520 ver7.2(4) - routed, firewall. the problem is the server behind inside interface has timeout when it talks to server front of outside interface. the timeout problem include server's batch job report system time out, and user ssh experience. the user ssh idle timeout seems veris time by time, 50 min, 2:30, and 3:30. it confuses me.

However, could I get some advice on where possible area I should look into?

Any comments will be appreciated

Thanks in advance

julxu

1 REPLY
Bronze

Re: asa5520 - timeout issue

hi julxu,

tcp timeouts will occur for ASA connections when no packets are seen for a configured idle time. The connection will be deleted from the ASA's connection table and subsequents packets will be dropped.

How to olve the issue:

configure a traffic class, describing the sessions which experience the problem.

configure a policy action to extend the timeouts:

hostname(config)# class-map CONNS
hostname(config-cmap)# match [match-criterea]

hostname(config)# policy-map [policy-name]
hostname(config-pmap)# class CONNS
hostname(config-pmap-c)# set connection timeout tcp 2:0:0 embryonic 0:40:0 half-closed 0:20:0 dcd

hostname(config-pmap-c)# [other-policy-actions]

dcd is a nice option, that sends tcp-probes (0-segments) to test whether the connection is still valid before timing out.

always remember that the first class that matches in a policy map decides the actions. So everything else like inspection etc should be added as additional policy actions.

318
Views
0
Helpful
1
Replies