Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

How to configure Traffic flow idle time-out with CSM

Hi,

I am looking for the way to define an idle timeout for specific flows on an ASA5580 by using Cisco security manager.

For ex I needed to define a specific idle timeout for connections beetween specific devices (Devices in vlan1, Device2 in vlan2).
To test it I did following changes by CLI and it works fine.
    access-list L1 extended permit ip <@IP1> <mask1> host <@IP2>
    class-map CM1
        match access-list L1
    policy-map PM1
        class CM1
        set connection timeout idle 02:00:00

I try do do the same configuration with CSM in order to be able to manage each changes only by using CSM.
So I defined  Access control list, Traffic flow and then I define timeout in
CSM --> PIX/ASA/FWSM Platform --> Service Policy Rules  --> IPS, QoS and Connections Rules -> connections settings -> Traffic flow idle time-out.

The problem is that each time I deploy the configuration with CSM I loose the timeout config line which is the most important for my application...

Can you help me?

Thanks, Murielle

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

How to configure Traffic flow idle time-out with CSM

Hi Murielle,

What version of ASA and CSM software are you running?

In 8.2(1) and lower, the ASA command was 'set connection timeout tcp'. In 8.2(2) and higher, the command syntax changed to 'set connection timeout idle'.

Depending on your CSM version, it may be trying to push the wrong version of the command and the ASA will reject it. You could push the correct syntax for the change in a Flex Config until your CSM server is upgraded to support the ASA version.

-Mike

2 REPLIES
Cisco Employee

How to configure Traffic flow idle time-out with CSM

Hi Murielle,

What version of ASA and CSM software are you running?

In 8.2(1) and lower, the ASA command was 'set connection timeout tcp'. In 8.2(2) and higher, the command syntax changed to 'set connection timeout idle'.

Depending on your CSM version, it may be trying to push the wrong version of the command and the ASA will reject it. You could push the correct syntax for the change in a Flex Config until your CSM server is upgraded to support the ASA version.

-Mike

Community Member

How to configure Traffic flow idle time-out with CSM

Hi Mirober2

I'm using the following versions :

ASA5580 OS 8.3(2)

CSM 4.0.1

I will check how to use flex config...

Thanks for your answer

Murielle

949
Views
0
Helpful
2
Replies
CreatePlease to create content