Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

connection specific TCP timeouts

Hello all,

i got a Problem on a customer which is using a Failover ASA 5510 pair with SSM-CSC-10-K9 modules.

The clients have to connect to a webserver where they are doing some calculations.

If they prepare everything and want to calculate everything what takes a couple of time the session is after about 3 minutes timedout.

My first idea was to set session specific timeouts which are a bit longer then the normal but this setting did not work

I created a policy which did not work for me.

Does somebody has a conclusion for me how to set connection specific timeout's?

policy which did not work:

      access-list global_mpc_1 line 1 extended permit tcp object-group NET_Group_RFC1918 object H_EXT_Xeditor eq http

      class-map Xeditor

        match access-list global_mpc_1

      policy-map global_policy

        class Xeditor

          inspect http

          set connection timeout embryonic 0:10:00 half-closed 0:10:00 idle 1:00:00 reset dcd 0:15:00 5


timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

policy-map global_policy

class inspection_default

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect icmp error

  inspect ftp

  inspect dns

class global-class

  csc fail-open

  set connection timeout embryonic 0:10:00 idle 1:00:00 reset dcd 0:15:00 5

Everyone's tags (4)
Cisco Employee

connection specific TCP timeouts

For how long will the connection be there idle?


Community Member

connection specific TCP timeouts

on a capture on this traffic we've seen return traffic after about 90 seconds. But we already raised the timeouts for pat-xlate to 2minutes but it also does not work

Cisco Employee

connection specific TCP timeouts

90 Seconds after the first SYN?


CreatePlease to create content