Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cut-through Proxy uauth timeout question

We currently use a cut-through proxy-like feature on Juniper SSG firewalls for our guest wireless network that allows a seven day (168 hour) timeoout, which matches the DHCP lease time.  This extended time is not a problem with the SSG since it maintains an auth table completely separate from the NAT/xlate table. 

I'm trying to implement the same function on an ASA 5520 failover pair, however I'm very reluctant to set 'timeout uauth 168:0:0 absolute' because I would be required to set 'timeout xlate 168:0:0' as well.  I'm concerned that setting the xlate timeout that high would invite xlate table overruns and intermittent DOS through the firewall.

Is there any way to set the cut-through uauth timeout higher (or use a similar authentication function) without increasing the system-wide xlate timeout to match?  If not, are my concerns about setting the xlate timeout so high valid?  The ASAs are pretty highly utilized overall.

Thanks,


Jim

2 REPLIES
Cisco Employee

Re: Cut-through Proxy uauth timeout question

Hello Jim,

Correct me if I am wrong, but you can change only the timeout for the uauth without having actually to change the xlate timeout. This would make the firewall to maintain the uauth table for the amount of time you configure... the only thing that is not going to happen is that when your users go out to the internet they wont be prompted for username and password...

Hope this makes sense.

Mike

Mike
New Member

Re: Cut-through Proxy uauth timeout question

Hi Mike,

I wish that were the case.  When I try to set uauth timeout to 168 hours, I get an error because my xlate timeout is set much lower.  It appears to me that the uauth timout is directly linked to the xlate timeout.  I'm looking for a way to handle user authentication without setting the system-wide xauth timeout so high.

fw-bv-1(config)# timeout uauth 168:0:0 absolute
uauth timeout 168:00:00 cannot be greater than the xlate timeout 0:30:00
Usage: timeout [xlate|conn|udp|icmp|sunrpc|h323|mgcp|sip|sip_media|uauth [...]]

fw-bv-1# sri ^timeout
timeout xlate 0:30:00
timeout conn 0:30:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00

Thanks,

Jim

1319
Views
0
Helpful
2
Replies
CreatePlease login to create content