Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

TCP timeout config


I have to audit a PIX 515 to meet the below requirements. Can anyone please let me know what the config would look like or point me to the relevant docos to make the PIX compliant.



TCP Start Time Out must be set to 60 seconds.

TCP Session Time Out must be set to 3600 seconds.

TCP End Time Out must be set to 20 seconds.

UDP Time Out must be set to 40 seconds.

ICMP Time Out must be set to 30 seconds.

?Out of state? TCP, UDP and ICMP packets must be dropped and the associated error must be logged.


Re: TCP timeout config

Hello scott,

I think you need to configure the following command to change these timeout values:

timeout {xlate | conn | udp | icmp | rpc | h225 | h323 | mgcp | mgcp-pat | sip | sip_media} hh:mm:ss

timeout uauth hh:mm:ss [absolute | inactivity]

The configuration guide describes you everything with respect to this command:

the default values are also given... hence for ex, if u want to change the tcp session timeout value to 3600 secs, u need to use,

timeout xlate 1:0:0

similarly you can tweak the values of UDP, ICMP timers,

Hope this helps.. all the best.. rate replies if found useful..


Community Member

Re: TCP timeout config

Hi Raj,

Thanks for that. I supected those commmands but I can not match up:

TCP Start Time

TCP End Time

And how do I set it to drop Out of state packets?



This what we have at present.

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

Re: TCP timeout config


i'm really not sure if there are specific commands to block out of state tcp.. i thought pix does this by default.. if there are no syn messages for the tcp request, the pix will not process the request.. anyway, the pix might log it in the buffer, if you have configured... check for "logging" commands on CCO and you can find a lot of info on this. u can also direct it to a syslog server if required....

regarding tcp start/end time, no ideas mate :)


CreatePlease to create content