Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX timeout conn recommendations

Hi,

What are the possible performance problems and security issues with increasing the timeout values (conn especially)?

Are there any recommendations as to the max values? I cannot find anything other than syntax on the web site.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: PIX timeout conn recommendations

Art,

Not a problem. I am not exactly sure what you mean by the question. The conn timer is the time that the PIX will allow the connection to sit idle before tearing it down. If we see traffic flow across this connection, the timer resets to 0. If we reach the configured time and the timer has not been reset, the connection gets torn down. Does this answer your question at all?

Scott

5 REPLIES

Re: PIX timeout conn recommendations

Hi,

The defualt values are the recommended values under normal circumstances but we do realize that there are some situations where these values will not work. From a Security standpoint and performance standpoint, you probably will not see any change when bumping the conn timeout upa bit. The only real difference is that the PIX will wait longer before tearing down connections that have gone idle. You *could* see more conns stored which will eat more memory but in most cases, this will probably be negligable. Most PIX installations have very few conns that time out due to the idle timer being reached unless there is some application that passes across the PIX that is left open and un-used for long periods of time. Hope this helps.

Scott

New Member

Re: PIX timeout conn recommendations

Thank you Scott,

Last Q...

What is the relationship between the connection and idle timeouts?

Thanks again,

Art

Re: PIX timeout conn recommendations

Art,

Not a problem. I am not exactly sure what you mean by the question. The conn timer is the time that the PIX will allow the connection to sit idle before tearing it down. If we see traffic flow across this connection, the timer resets to 0. If we reach the configured time and the timer has not been reset, the connection gets torn down. Does this answer your question at all?

Scott

New Member

Re: PIX timeout conn recommendations

Yes that does Scott. Sorry about the poor wording. I appreciate the help.

Art

New Member

Re: PIX timeout conn recommendations

We bumped our xlate value up to 6 hours. Then I dump the xlate table every 6 hours using a TCL/expect script. Then I correlate my DHCP logs with the xlate entries. Purpose being to track a user down by the global IP address they were surfing with. Anybody have any comments about the accuracy of doing this? The concept to use this info for enforcement purposes.

854
Views
0
Helpful
5
Replies
CreatePlease to create content