An alternative is to use Dead Connection Detection (DCD) on the ASA to validate if both endpoints on the idle connection are still alive, and if so reset the idle timeout, else tear it down.
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns_connlimits.html#wp1080752 Additionally, one point for Peter. Increasing the idle conn timeout does not require you to increase the xlate timeout. The xlate timeout only takes effect once all conns associated to that xlate no longer exist. Sincerely, David. Peter Rathlev wrote: > Hi Judith, > > On Tue, 2012-05-08 at 19:16 +0000, Judith Sanders wrote: > >> I have a Cisco ASA5520-I have an established VPN with a third party >> vendor. We are running applications over this tunnel and experiencing >> timeouts. The tunnel never drops, just the application. I know that >> there are default timeouts set on the ASA for certain protocols, but >> if the tunnel is established, would it not be an application issue and >> not a firewall/VPN timeout issue? >> > > The ASA defaults for TCP timeouts (1 hour IIRC) are not compliant with > RFC 5782 "NAT Behavioral Requirements for TCP", a BCP. It specifies that > the timeout "MUST NOT be less than 2 hours 4 minutes". Use "timeout conn > 2:04:00" on the ASA to adjust. You might also want to consider adjusting > the "timeout xlate" upwards at the same time. > > Informational level debugging can tell you if and why the ASA have torn > down a session; the "ASA-6-302014" messsage ("Teardown TCP ...") states > the specific reason. Look for "Conn-timeout", meaning that the TCP > connection has been idle for too long and is therefore closed. > > Even with a 2:04:00 timeout you still need to convince the application > developers to actually use TCP Keep-Alives. We have been forced to apply > a 24 hour timeout for certain connections because the developers > couldn't/wouldn't use Keep-Alives. A policy-map can select just the > right connections, so you avoid a long timeout for every connection > through the ASA. > > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
