Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA 5505 not dropping idle connections

Hello,

I have an ASA 5505 version 8.0 (3).  I have been having issues lately where I am showing many connections that have been idle for up to 7 hours but the ASA will not drop them.  This is mainly an issue on the wireless side.  I have set a time out of 5 minutes but the idle connections persist.  It seems to be honoring the limit of 2000 connections but not the time out.

class-map CONNS

match any

policy-map CONNS

class CONNS

  set connection conn-max 2000 embryonic-conn-max 2000

  set connection timeout tcp 0:5:00

service-policy CONNS interface ****************

Basically, I just need to know what I'm missing.  Thank you for any help.

2 REPLIES
Super Bronze

Cisco ASA 5505 not dropping idle connections

Hi,

What is your "timeout" configuration globally?

show run timeout

Also you could check any active TCP connections on the ASA with the following command to see which timeout is applied to those connections

show conn long

The parameter "long" also adds some additional info to the output so you can see the "timeout" set for the connection etc.

I have tende to configure an ACL to match the traffic and attach the "class-map" to the global policy on my firewall.

- Jouni

New Member

Cisco ASA 5505 not dropping idle connections

Hi,

This is my timeout config.  I'm seeing that the 8:00:00 might be the problem.  I checked the show conn long and they are taking from the right "timeout" set.  I think I will configure an ACL to match the traffic and see if that helps as well.

timeout xlate 3:00:00

timeout conn 8:00:00 half-closed 8:00:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

Callie

409
Views
0
Helpful
2
Replies