We currently use a cut-through proxy-like feature on Juniper SSG firewalls for our guest wireless network that allows a seven day (168 hour) timeoout, which matches the DHCP lease time. This extended time is not a problem with the SSG since it maintains an auth table completely separate from the NAT/xlate table.
I'm trying to implement the same function on an ASA 5520 failover pair, however I'm very reluctant to set 'timeout uauth 168:0:0 absolute' because I would be required to set 'timeout xlate 168:0:0' as well. I'm concerned that setting the xlate timeout that high would invite xlate table overruns and intermittent DOS through the firewall.
Is there any way to set the cut-through uauth timeout higher (or use a similar authentication function) without increasing the system-wide xlate timeout to match? If not, are my concerns about setting the xlate timeout so high valid? The ASAs are pretty highly utilized overall.
Correct me if I am wrong, but you can change only the timeout for the uauth without having actually to change the xlate timeout. This would make the firewall to maintain the uauth table for the amount of time you configure... the only thing that is not going to happen is that when your users go out to the internet they wont be prompted for username and password...
I wish that were the case. When I try to set uauth timeout to 168 hours, I get an error because my xlate timeout is set much lower. It appears to me that the uauth timout is directly linked to the xlate timeout. I'm looking for a way to handle user authentication without setting the system-wide xauth timeout so high.
fw-bv-1(config)# timeout uauth 168:0:0 absolute uauth timeout 168:00:00 cannot be greater than the xlate timeout 0:30:00 Usage: timeout [xlate|conn|udp|icmp|sunrpc|h323|mgcp|sip|sip_media|uauth [...]]
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :