02-13-2014 03:40 PM - edited 03-11-2019 08:45 PM
Hello,
I have an ASA 5505 version 8.0 (3). I have been having issues lately where I am showing many connections that have been idle for up to 7 hours but the ASA will not drop them. This is mainly an issue on the wireless side. I have set a time out of 5 minutes but the idle connections persist. It seems to be honoring the limit of 2000 connections but not the time out.
class-map CONNS
match any
policy-map CONNS
class CONNS
set connection conn-max 2000 embryonic-conn-max 2000
set connection timeout tcp 0:5:00
service-policy CONNS interface ****************
Basically, I just need to know what I'm missing. Thank you for any help.
02-14-2014 01:27 AM
Hi,
What is your "timeout" configuration globally?
show run timeout
Also you could check any active TCP connections on the ASA with the following command to see which timeout is applied to those connections
show conn long
The parameter "long" also adds some additional info to the output so you can see the "timeout" set for the connection etc.
I have tende to configure an ACL to match the traffic and attach the "class-map" to the global policy on my firewall.
- Jouni
02-14-2014 07:33 AM
Hi,
This is my timeout config. I'm seeing that the 8:00:00 might be the problem. I checked the show conn long and they are taking from the right "timeout" set. I think I will configure an ACL to match the traffic and see if that helps as well.
timeout xlate 3:00:00
timeout conn 8:00:00 half-closed 8:00:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
Callie
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: