cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1070
Views
0
Helpful
7
Replies

Service session timeout

pmago
Level 1
Level 1

I believe there is a default 30 min TCP idle session timeout attached with every TCP service. There are features in other firewalls to increase this timeout or set it to None. Can we do the same in PIX/FWSM also.

Could you help me with commands to verify and increase the same.

Thanks

Prashant

7 Replies 7

srue
Level 7
Level 7

i think you are looking for the timeout command:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/t_72.html#wp1386607

sh run | inclu timeout

or

sh run timeout

Thanks for the good doc but this did not exactly solve my problem.

I am looking to increase service time-out.

So, lets say if I configure a new service, it should have a timeout of 300 min (5 hrs), instead of default timeout of 30 min.

Not sure which command can help me do this.

Thanks

Prashant

Prashant,

The default TCP idle timeout is 1 hour. If you want to change it to 5 hrs use the command.

pixfirewall(config)# timeout conn 5:00:00

Here are your options as far as the timeout for different services are concerned;

pixfirewall(config)# timeout ?

configure mode commands/options:

conn Configure idle time after which a TCP connection state will

be closed, default is 1:00:00

h225 Configure idle time after which an H.225 signaling conn will

be closed, default is 1:00:00

h323 Configure idle time after which an H.323 control connection

will be closed, default is 0:05:00

half-closed Configure idle time after which a TCP half-closed connection

will be freed, default is 0:10:00

icmp Configure idle timeout for ICMP, default is 0:00:02

HTH

Sundar

Thanks Sundar,

But I think if I use the command " timeout conn 5:00:00 ", it will change the timeout to 5 hours for all TCP connections. I want the time out to be changes to a specific TCP service for example for TCP port 3000 and for the rest, it can remain the same.

Is there a way to set timeout for particular service?

Thanks

Prashant

"There are features in other firewalls to increase this timeout or set it to None."

You must be refer to either Checkpoint or

Juniper firewalls. For example, you can

create a telnet, tcp port 23, service and

set the timeout session to let say 6 hours,

or you can create an ssh service and set the

timeout to 10 minutes.

I've been trying to find this feature in

Cisco Pix/ASA/FWSM as well but don't think

it is possible.

CCIE Security

I see what you are asking. AFAIK I don't think in Cisco firewall you can configure timeout for services inside of TCP. It would be just a global timeout value for TCP.

Yes, this is what I am looking for, to change the timeout for particular service like ssh. I have seen it in Juniper Firewalls where we can easily modify the timeout or set it to none.

Thanks

Prashant

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: