we have configured an apache server to act as a front end app server for our subscribers. as you know, the PIX tears down idle connections traversing it if they are idle for a certain time period (configured using "timeout conn"). is there a way to configure the connection timeout settings for a single connection (source IP/port ---> destination IP/port) rather than making changes using "timeout conn" command, which globally affects all connections?
What problem are you having? I am assuming this a web app. Why is this a problem for you on a stateless app?
well, the Unix admins explain to me that when our clients open a web session with the apache server, the server opens a TCP session with our database servers. the problem is when that connection's idle timer expires, the entire session hangs along with the apache service/server!!! the unix admins could not solve the problem from their side so they asked me to see if a work arround can be implemented on the firewall. i am trying to find out if the "timeout conn" command can be implemented to increase the timeout for a single flow/connection rather than globally for all connections. any ideas??
You can use the Dead connection detection mechanism to resolve this issue.
If DCD is configured, When the default global idle time out is reached for a tcp connection, DCD probes are sent to each node of the tcp session.
If the hosts replies back, then then connection is not teared down and the idle timeout is rescheduled suitably.
Have a look at the following url.
You have to write a class map to match the interesting traffic to which you want to do the dead connection detection mechanism.
set connection timeout dcd
You have to configure a class map to match the interesting traffic and write a policy map to set the DCD mechansim for the traffic that matches the class map.
Then in the policy map, include this CLi command for Dead connection detection.
set connection timeout dcd
Here 15seconds and 5 seconds is the default values for retry-interval and maxretries.
ok. thanks for the reply. let me ask one more thing; what if we increase the "timeout conn" to 8 hours instead of the 1 hour default setting. i know that the firewall stores these connections in a table in RAM so will these new settings affect the performance of the firewall if the entries become to many? we currently have a PIX535 with 1GB of RAM.
You can very well change the default timeout values, but as you have mentioned, the firewall is going to keep track of all the inactive TCP sessions.
Under normal situation, the peers will be closing their TCP session, once the transaction is over. But if they dont propery close their TCP sessions, those sessions will be active in the firewall till the timeout connection value. Only these connections will be consuming the memory for the connection table.
If there is any attack kind of situation creeping up, then this will be a problem.
u r right. this would be a potential hole in the system. but performance wise, do you think this would cause a problem even if the RAM is 1GB. i'm asking because i have a friend who ran into a siimilar situation with his cisco router where the NAT table kept growing bigger and bigger until the whole thing crahsed. this is what i'm afraid of with my scenario.
I agree with you on this.
You also have the same risk, if there is an attack ongoing, for the window of 1 hour in the default setup.
Mostly of the attacks are teared down in the embryonic state level itself, if the connection is not complete ( like DOS ).
This timeout is dealing with properly established TCP connection that is idle for long. Though we haven't seen any attacks in this fashion, it is always better to follow the default values.
If there are other attack mitigation systems like IPs in your scenario, probably the risk will be reduced.
Otherwise i would suggest you to the latest version which has enhancement to prevent such network attacks ( like Dead connection detection..etc).
thank you very much VJ for your quick responses. and i will definitely recommend an upgrade to the pixOS.