Cisco Support Community

PIX Timeout Values

What's the difference between xlate and conn timeout? If xlate timeout is 3 hours and conn timeout is 1 hour. An idle tcp connection will always be timed out by conn timeout? Am I wrong?

Best Regards.

Community Member

Re: PIX Timeout Values

An xlate is a dynamic NAT, a conn is a tcp connection. You always want the xlate timeout value to be higher than the conn timeout. And you are correct, the idle tcp will be terminated by the conn timeout. Once the xlate timeout expires, the inside IP can/will be nat'd to a different global IP next time it issues new traffic.

Re: PIX Timeout Values

OK then, if TCP (conn) times out, does PIX silently erase this conn from the table and refuse additional TCP segments of this conn? OR informs parties involved in TCP connection?


Community Member

Re: PIX Timeout Values

it silently discard the connection. There are no RST send to source/destination. The role is to clear from memory "dead" connections. A normal terminated connection (rst-rstack) is cleared from pix memory at that time. This timeout should not be set to low cause it will kill long ftp transfers and so on.

Timeout for xlate clear also all reference about a host including up connections.

CreatePlease to create content