Cisco ASA 5505 not dropping idle connections

c.householder · ‎02-13-2014

Hello,

I have an ASA 5505 version 8.0 (3). I have been having issues lately where I am showing many connections that have been idle for up to 7 hours but the ASA will not drop them. This is mainly an issue on the wireless side. I have set a time out of 5 minutes but the idle connections persist. It seems to be honoring the limit of 2000 connections but not the time out.

class-map CONNS

match any

policy-map CONNS

class CONNS

set connection conn-max 2000 embryonic-conn-max 2000

set connection timeout tcp 0:5:00

service-policy CONNS interface ****************

Basically, I just need to know what I'm missing. Thank you for any help.

Jouni Forss · ‎02-14-2014

Hi,

What is your "timeout" configuration globally?

show run timeout

Also you could check any active TCP connections on the ASA with the following command to see which timeout is applied to those connections

show conn long

The parameter "long" also adds some additional info to the output so you can see the "timeout" set for the connection etc.

I have tende to configure an ACL to match the traffic and attach the "class-map" to the global policy on my firewall.

- Jouni

c.householder · ‎02-14-2014

Hi,

This is my timeout config. I'm seeing that the 8:00:00 might be the problem. I checked the show conn long and they are taking from the right "timeout" set. I think I will configure an ACL to match the traffic and see if that helps as well.

timeout xlate 3:00:00

timeout conn 8:00:00 half-closed 8:00:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

Callie