Here is an output from my ASA- this is part of my tunnel that the applications timeout thru... I see that they have been idle for four plus hours and the timeout is all 0-does this mean no timeout? or does this just mean default to the 3 hour timeout?
NAT from inside:172.16.1.201 to outside:64.250.19x.xx flags s idle 4:23:07 timeout 0:00:00 NAT from inside:172.16.1.202 to outside:64.250.19x.xxx flags s idle 4:05:15 timeout 0:00:00 NAT from any:172.16.3.131 to any:64.250.19x.xxx flags s idle 0:25:16 timeout 0:00:00 NAT from inside:172.17.22.121 to outside:64.250.19x.xxx flags s idle 4:12:58 timeout 0:00:00 NAT from inside:172.17.23.121 to outside:64.250.19x.xx flags s idle 4:21:48 timeout 0:00:00 Judith Sanders Pioneer Telephone Inside Plant Networking Services jasand...@ptci.com<mailto:jasand...@ptci.com> 405.375.0645 "Our lives change when our habits change." Matthew Kelly From: David White, Jr. (dwhitejr) [mailto:dwhit...@cisco.com] Sent: Wednesday, May 09, 2012 12:51 PM To: Antonio Soares Cc: 'Peter Rathlev'; Judith Sanders; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Timeout value on ASA Hi Antonio, The first output is showing "PATed" connections - or ones which have been Port Address Translated. In this case, the xlate timeout is hard-coded to 30 seconds, and is not user configurable. If instead you look at "NATed" connections, you will see the timeout would be set to the user-configured value - 3 hours in your case. Hope that helps explain it. Sincerely, David. Antonio Soares wrote: Hi David, Can you elaborate a little more about the xlate timeout, it's something I never understood very well. For example, taking this output as an example: ASA# sh xlate 2 in use, 229 most used Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice UDP PAT from IN:xxx.xxx.xxx.xxx/54337 to OUT:xxx.xxx.xxx.xxx/6630 flags ri idle 0:00:01 timeout 0:00:30 TCP PAT from IN:xxx.xxx.xxx.xxx/1028 to OUT:xxx.xxx.xxx.xxx/5281 flags ri idle 0:00:13 timeout 0:00:30 Why do we see 30 seconds as the timeout ? By default it's 3 hours: ASA# sh runn timeout timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 ASA# timeout xlate: Configure idle time after which a dynamic address will be returned to the free pool, default is 3:00:00 The output above was taken from an ASA. For example, this FWSM reflects the timeout correctly as configured globally (25 minutes): FWSM# sh xlate debug Flags: D - DNS, d - dump, I - identity, i - inside, n - no random, o - outside, r - portmap, s - static 45 in use, 281 most used NAT from IN:172.23.254.149 to OUT:xxx.xxx.xxx.xxx flags i idle 0:06:35 timeout 0:25:00 connections 1 NAT from IN:172.23.254.155 to OUT:xxx.xxx.xxx.xxx flags i idle 0:00:54 timeout 0:25:00 connections 0 NAT from IN:172.23.254.167 to OUT:xxx.xxx.xxx.xxx flags i idle 0:00:14 timeout 0:25:00 connections 6 This debug option is not available on the ASA. Thanks. Regards, Antonio Soares, CCIE #18473 (R&S/SP) amsoa...@netcabo.pt<mailto:amsoa...@netcabo.pt> http://www.ccie18473.net -----Original Message----- From: cisco-nsp-boun...@puck.nether.net<mailto:cisco-nsp-boun...@puck.nether.net> [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of David White, Jr. (dwhitejr) Sent: terça-feira, 8 de Maio de 2012 23:20 To: Peter Rathlev; Judith Sanders Cc: 'cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>' Subject: Re: [c-nsp] Timeout value on ASA An alternative is to use Dead Connection Detection (DCD) on the ASA to validate if both endpoints on the idle connection are still alive, and if so reset the idle timeout, else tear it down. http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns _connlimits.html#wp1080752 Additionally, one point for Peter. Increasing the idle conn timeout does not require you to increase the xlate timeout. The xlate timeout only takes effect once all conns associated to that xlate no longer exist. Sincerely, David. Peter Rathlev wrote: Hi Judith, On Tue, 2012-05-08 at 19:16 +0000, Judith Sanders wrote: I have a Cisco ASA5520-I have an established VPN with a third party vendor. We are running applications over this tunnel and experiencing timeouts. The tunnel never drops, just the application. I know that there are default timeouts set on the ASA for certain protocols, but if the tunnel is established, would it not be an application issue and not a firewall/VPN timeout issue? The ASA defaults for TCP timeouts (1 hour IIRC) are not compliant with RFC 5782 "NAT Behavioral Requirements for TCP", a BCP. It specifies that the timeout "MUST NOT be less than 2 hours 4 minutes". Use "timeout conn 2:04:00" on the ASA to adjust. You might also want to consider adjusting the "timeout xlate" upwards at the same time. Informational level debugging can tell you if and why the ASA have torn down a session; the "ASA-6-302014" messsage ("Teardown TCP ...") states the specific reason. Look for "Conn-timeout", meaning that the TCP connection has been idle for too long and is therefore closed. Even with a 2:04:00 timeout you still need to convince the application developers to actually use TCP Keep-Alives. We have been forced to apply a 24 hour timeout for certain connections because the developers couldn't/wouldn't use Keep-Alives. A policy-map can select just the right connections, so you avoid a long timeout for every connection through the ASA. _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net> https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ *************************** This email message and any files transmitted with it are intended solely for the use of the individual or entity for whom it is addressed. It may contain confidential and privileged information. If you are not the intended recipient, please contact the sender and destroy all paper and electronic copies of this message and its contents. Any unauthorized review, use, disclosure or distribution of this email or any file attachments is strictly prohibited. _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/