We have an application (client - database) that doesn't do well with the 1 hour connection idle timeout (TCP conn).
The setting is global and much has been made about adjusting that timeout. Very hesitant to extend it (they will not be happy until they could leave the app open forever...) to say a 4 hours. Reason: connection counts, DoS, etc.
However, our max conn count is not anywhere near the max of 280,000.
Has anybody else out there gone through this? Any "guidelines" or thoughts on adjusting the TCP timeout? (Note: not on ver 7 - so can't do the virtual FW thing yet.)
We went through the same thing. We have Oracle ERP apps here and some of the connections need much longer than an hour. In then end we put unlimted timeout on the backend database firewalls and a 3 hour timeout on the front-end firewalls (protecting the application mid-tiers).
I emphasise that these were internal firewalls and not internet facing otherwise i would not have considered it.
So far we are okay, we are nowhere near the max conns limit and the vast majority of connections are closed down normally anyway so we are not experiencing any resource issues - max conns, cpu etc.
I believe in v7.0 that you can apply per flow settings which would be much better in that you can tie down the timeouts to just the server to server connections needed.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...