cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
380
Views
0
Helpful
5
Replies

About pix's type of connections.

xbw
Level 1
Level 1

Does pix has different connection type?For example:constant(long) connections and short connections according to application type.How can I config?

5 Replies 5

m.mcconnell
Level 1
Level 1

There are timers that PIX maintains for certain connection parameters. These can be found near the bottom of the config but I have to warn you - unless you understand the security implications do not try to change these without working with TAC.

Additionally, the PIX is stateful and watches all sessions through it. When a TCP session closes it closes the connection through the firewall so there is no real need to change any of the timers. Also, I have only worked in one or two environments where I needed to change the default timers on the PIX so that the PIX was friendly with applications that had long connection times. Do you have an application in your environment that has exceptionally long connection times that are being dropped by the PIX?

-Mark

yes,I have some applications in my enviroment that has excetionally long connection timers that being dropped by the pix? Please tell me how config the long connections basing on different applications?

You want to look at the timeout command. This link is for the timeout command in 6.3(x):

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/tz.htm#wp1026093

Sounds like the parameter you need to adjust is the "conn" parameter. The environments where I have ususally needed to adjust this when webservers have a long-lived connection to backend database servers.

-Mark

I also would like to add that this timer is a global setting and it cannot be changed for a particular host or connection. With that in mind it is probably a good idea to try and not use an all zeros setting. Try upping the timer a little at a time.

In one environment I worked in it looked like this parameter was the culprit when actually the application needed to be tuned to work with a firewall. In your environment the aplication may need to have a keepalive enabled or be configured to restart its connection every so often.

-Mark

Which concrete configuration can I configure? Or give me an example according to your experience.thank you.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: