Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Service session timeout

I believe there is a default 30 min TCP idle session timeout attached with every TCP service. There are features in other firewalls to increase this timeout or set it to None. Can we do the same in PIX/FWSM also.

Could you help me with commands to verify and increase the same.

Thanks

Prashant

7 REPLIES
Gold

Re: Service session timeout

i think you are looking for the timeout command:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/t_72.html#wp1386607

sh run | inclu timeout

or

sh run timeout

New Member

Re: Service session timeout

Thanks for the good doc but this did not exactly solve my problem.

I am looking to increase service time-out.

So, lets say if I configure a new service, it should have a timeout of 300 min (5 hrs), instead of default timeout of 30 min.

Not sure which command can help me do this.

Thanks

Prashant

Re: Service session timeout

Prashant,

The default TCP idle timeout is 1 hour. If you want to change it to 5 hrs use the command.

pixfirewall(config)# timeout conn 5:00:00

Here are your options as far as the timeout for different services are concerned;

pixfirewall(config)# timeout ?

configure mode commands/options:

conn Configure idle time after which a TCP connection state will

be closed, default is 1:00:00

h225 Configure idle time after which an H.225 signaling conn will

be closed, default is 1:00:00

h323 Configure idle time after which an H.323 control connection

will be closed, default is 0:05:00

half-closed Configure idle time after which a TCP half-closed connection

will be freed, default is 0:10:00

icmp Configure idle timeout for ICMP, default is 0:00:02

HTH

Sundar

New Member

Re: Service session timeout

Thanks Sundar,

But I think if I use the command " timeout conn 5:00:00 ", it will change the timeout to 5 hours for all TCP connections. I want the time out to be changes to a specific TCP service for example for TCP port 3000 and for the rest, it can remain the same.

Is there a way to set timeout for particular service?

Thanks

Prashant

Silver

Re: Service session timeout

"There are features in other firewalls to increase this timeout or set it to None."

You must be refer to either Checkpoint or

Juniper firewalls. For example, you can

create a telnet, tcp port 23, service and

set the timeout session to let say 6 hours,

or you can create an ssh service and set the

timeout to 10 minutes.

I've been trying to find this feature in

Cisco Pix/ASA/FWSM as well but don't think

it is possible.

CCIE Security

Re: Service session timeout

I see what you are asking. AFAIK I don't think in Cisco firewall you can configure timeout for services inside of TCP. It would be just a global timeout value for TCP.

New Member

Re: Service session timeout

Yes, this is what I am looking for, to change the timeout for particular service like ssh. I have seen it in Juniper Firewalls where we can easily modify the timeout or set it to none.

Thanks

Prashant

753
Views
0
Helpful
7
Replies
CreatePlease to create content