Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

timeout conn

the default idle time for a connection on a Cisco ASA is 1 hour, as denoted by the timeout conn command. The ASA then closes the connection.

What i wish to know is how does the ASA close the idle connection? does it send a Reset to each end of the connection? or only one end? or does it send a reset at all.

Does any one know what the ASA actually does to close the idle connection?




Re: timeout conn

ASA silently drop connections for which the idle timeout timer has expired.

This default behavior can be changed using Modular Policy Framework.

Check out the "set connection timeout" command in the command reference:

There is a "reset" argument that can be used to send a RST in both

directions when the idle timer expires.

Syed Iftekhar Ahmed

Community Member

Re: timeout conn

ah i see so i can set it to send resets in both directions

your wrote the ASA silently drops the connection, what do you mean by that? do you mean the ASA doesn't do anything it just drops the connection from its own connection table?

Thanks for the help, just trying to get my head round what the ASA does as we have a connection which seems to be only reset one end after the idle time, when the connection is re-established the other end it seems to just disappear?



Re: timeout conn

As per my knowledge no resets are send by ASA on either side (unless configured using MPF) when a connection times out.

So yes it simply delete the connection entry from its connection table.

Syed Iftekhar Ahmed

CreatePlease to create content