Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

How to Disable the idle timeout for the firewall

Dear All,

We have application server on normal Vlan and Database server on DMZ. Users are facing problem as mention below and Oracle team mention the soultion as mention below.

CAN ANY ON GUIDE ME HOW TO ACHIVE THIS.

-- Problem Statement:

OmniPortlets fail after some inactivity with the following error in the browser in place of the

portlet:

Error: Call to execute Data Source failed.

-------------------------------

The procedures on the Portal database use a database link to connect to a remote database to fetch

the data.

The Portal database is in the DMZ zone together with the infrastructure and middle tier.

The remote database with the actual data is in the secure intranet zone so there is a firewall

between the 2 databases.

A refresh of the page solves the probem.

-- Business Impact:

As a result some early users may see an error when first accessing the page with such OmniPortlet.

A refresh of the page solves the problem.

-------------------------------------

Cause

The firewall closes connections at a regular interval.

If a firewall closes the database connection between OmniPortlet and the remote database, then

Omni Portlet is not aware of this event and it tries to reuse the connection which causes the error.

--------------------------

Solution

To implement the solution, please execute the following steps:

1. Disable the idle timeout for the firewall, or increase the value of the timeout ,so it is

unlikely to close connection.

Thanks,

Raj

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: How to Disable the idle timeout for the firewall

Hi Raj

Yes, we had the same problem with some of our Oracle applications. For some reason they cannot do keepalives down their connections so Oracle's answer is to increase timeout on firewalls.

On Pix v6.x you can use the following

firewall(config)#timeout conn 3:00:00

That will increase the idle timeout to 3 hours. If you want to set it unlimited then you can use

firewall(config)#timeout conn 0:00:00

Be aware that with pix v6.x this is a global setting - ie. it affects all connections.

With Pix v7.x you can be more granular and tie it down to just the relevant connections.

HTH

Jon

3 REPLIES
Hall of Fame Super Blue

Re: How to Disable the idle timeout for the firewall

Hi Raj

Yes, we had the same problem with some of our Oracle applications. For some reason they cannot do keepalives down their connections so Oracle's answer is to increase timeout on firewalls.

On Pix v6.x you can use the following

firewall(config)#timeout conn 3:00:00

That will increase the idle timeout to 3 hours. If you want to set it unlimited then you can use

firewall(config)#timeout conn 0:00:00

Be aware that with pix v6.x this is a global setting - ie. it affects all connections.

With Pix v7.x you can be more granular and tie it down to just the relevant connections.

HTH

Jon

Community Member

Re: How to Disable the idle timeout for the firewall

Hi jon:

many thanks for ur promt reply i have applied the config, and will be waiting for the response from the Oracle Guy.

Hope this works out.

Can u paste any links related to this.

*************PIX Config****************

timeout xlate 3:00:00

timeout conn 3:00:00 half-closed 1:00:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

*************************

what will be command if we use IOS 7.0

Thanks,

Raj

Hall of Fame Super Blue

Re: How to Disable the idle timeout for the firewall

Hi Raj

The command is the same as in v6.x but it will apply globally to the firewall as in 6.x. If you want to be more granular you need to apply a class map to the connection.

You have increased your timeout to 3 hours. This may be okay but in our production environment we had to completely disable the timeout ie.

timeout conn 0:00:00

to get the apps to work properly.

HTH

Jon

5358
Views
5
Helpful
3
Replies
CreatePlease to create content