There are timers that PIX maintains for certain connection parameters. These can be found near the bottom of the config but I have to warn you - unless you understand the security implications do not try to change these without working with TAC.
Additionally, the PIX is stateful and watches all sessions through it. When a TCP session closes it closes the connection through the firewall so there is no real need to change any of the timers. Also, I have only worked in one or two environments where I needed to change the default timers on the PIX so that the PIX was friendly with applications that had long connection times. Do you have an application in your environment that has exceptionally long connection times that are being dropped by the PIX?
yes,I have some applications in my enviroment that has excetionally long connection timers that being dropped by the pix? Please tell me how config the long connections basing on different applications?
Sounds like the parameter you need to adjust is the "conn" parameter. The environments where I have ususally needed to adjust this when webservers have a long-lived connection to backend database servers.
I also would like to add that this timer is a global setting and it cannot be changed for a particular host or connection. With that in mind it is probably a good idea to try and not use an all zeros setting. Try upping the timer a little at a time.
In one environment I worked in it looked like this parameter was the culprit when actually the application needed to be tuned to work with a firewall. In your environment the aplication may need to have a keepalive enabled or be configured to restart its connection every so often.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...