Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
353
Views
0
Helpful
3
Replies

PIX Timeout Values

kkalaycioglu
Level 4
Level 4

‎02-23-2004 05:10 AM - edited ‎02-20-2020 11:15 PM

What's the difference between xlate and conn timeout? If xlate timeout is 3 hours and conn timeout is 1 hour. An idle tcp connection will always be timed out by conn timeout? Am I wrong?

Best Regards.

0 Helpful
3 Replies 3

peangvall
Level 1
Level 1

‎02-26-2004 11:54 AM

An xlate is a dynamic NAT, a conn is a tcp connection. You always want the xlate timeout value to be higher than the conn timeout. And you are correct, the idle tcp will be terminated by the conn timeout. Once the xlate timeout expires, the inside IP can/will be nat'd to a different global IP next time it issues new traffic.

0 Helpful

kkalaycioglu
Level 4
Level 4
In response to peangvall

‎03-01-2004 01:34 AM

OK then, if TCP (conn) times out, does PIX silently erase this conn from the table and refuse additional TCP segments of this conn? OR informs parties involved in TCP connection?

Regards.

0 Helpful

8dstaicu
Level 1
Level 1
In response to kkalaycioglu

‎03-01-2004 04:18 AM

it silently discard the connection. There are no RST send to source/destination. The role is to clear from memory "dead" connections. A normal terminated connection (rst-rstack) is cleared from pix memory at that time. This timeout should not be set to low cause it will kill long ftp transfers and so on.

Timeout for xlate clear also all reference about a host including up connections.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card