Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

How to drop idle connections and free up PIX Firewall resources

Core issue


The timeout command on the PIX Firewall sets the idle time for connection, translation, User Datagram Protocol (UDP), Remote-Procedure Call (RPC), and H.323 slots. If the slot has not been used for the idle time specified, the resource is returned to the free pool.

Issuing the clear    xlate command clears the contents of the translation slots. (xlate means    translation slot.) The show    xlate command displays the contents of only the translation slots.

Clear xlate commands remove all entries of the translation slots. If you would like to remove a specific xlate entry, issue the clear xlate local x.x.x.x or clear xlate global x.x.x.x commands, as shown in this example:

clear xlate [global|local ip1[-ip2] [netmask mask]] lport|gport port[-port]] [interface if1[,if2][,ifn]] [state static [,dump] [,portmap] [,norandomseq] [,identity]]

Translation slots can persist after key changes have been made. Always issue    the clear xlate command after adding, changing, or removing the aaa-server,    access-list, alias, conduit, global, nat, route, or static commands in your configuration.

This sample output shows the default timeout values on the PIX:

timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute

The timeout uauth command can be used to reauthenticate  the user after a period of inactiviy or an absolute duration.


pixfirewall(config)# timeout uauth 0:5:00 absolute uauth 0:4:00 inactivity pixfirewall(config)# show timeout  timeout xlate 3:00:00  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00    sip 0:30:00 sip_media 0:02:00  timeout uauth 0:05:00 absolute uauth 0:04:00 inactivity

The example shows that a user would be required to reauthenticate after 4 minutes of a connection being idle and that the user would regularly authenticate every 5 minutes based on the absolute value of the timer.

If you set the inactivity timer to a duration, but the absolute timer to zero, then users are only reauthenticated after the inactivity timer elapses.

Both an inactivity timer and an absolute timer can operate at the same time, but you should set the absolute timer duration longer than the inactivity timer. If the absolute timer is less than the inactivity timer, the inactivity timer never occurs. For example, if you set the absolute timer to 10 minutes and the inactivity timer to an hour, the absolute timer reprompts the user every 10 minutes; therefore, the inactivity timer will never be started.

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 04:38 PM
Updated by:
Labels (1)