Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
How to drop idle connections and free up PIX Firewall resources
The timeout command on the PIX Firewall sets the idle time for connection, translation, User Datagram Protocol (UDP), Remote-Procedure Call (RPC), and H.323 slots. If the slot has not been used for the idle time specified, the resource is returned to the free pool.
Issuing the clear xlate command clears the contents of the translation slots. (xlate means translation slot.) The show xlate command displays the contents of only the translation slots.
Clear xlate commands remove all entries of the translation slots. If you would like to remove a specific xlate entry, issue the clear xlate local x.x.x.x or clear xlate global x.x.x.x commands, as shown in this example:
Translation slots can persist after key changes have been made. Always issue the clear xlate command after adding, changing, or removing the aaa-server, access-list, alias, conduit, global, nat, route, or static commands in your configuration.
This sample output shows the default timeout values on the PIX:
The example shows that a user would be required to reauthenticate after 4 minutes of a connection being idle and that the user would regularly authenticate every 5 minutes based on the absolute value of the timer.
If you set the inactivity timer to a duration, but the absolute timer to zero, then users are only reauthenticated after the inactivity timer elapses.
Both an inactivity timer and an absolute timer can operate at the same time, but you should set the absolute timer duration longer than the inactivity timer. If the absolute timer is less than the inactivity timer, the inactivity timer never occurs. For example, if you set the absolute timer to 10 minutes and the inactivity timer to an hour, the absolute timer reprompts the user every 10 minutes; therefore, the inactivity timer will never be started.