Hi Judith, A timeout of all zero's means 'do not timeout' - or infinite timeout.
Sincerely, David. Judith Sanders wrote: > > Here is an output from my ASA- this is part of my tunnel that the > applications timeout thru... > > I see that they have been idle for four plus hours and the timeout is > all 0-does this mean no timeout? or does this just mean default to the > 3 hour timeout? > > > > NAT from inside:172.16.1.201 to outside:64.250.19x.xx > > flags s idle 4:23:07 timeout 0:00:00 > > NAT from inside:172.16.1.202 to outside:64.250.19x.xxx > > flags s idle 4:05:15 timeout 0:00:00 > > NAT from any:172.16.3.131 to any:64.250.19x.xxx > > flags s idle 0:25:16 timeout 0:00:00 > > NAT from inside:172.17.22.121 to outside:64.250.19x.xxx > > flags s idle 4:12:58 timeout 0:00:00 > > NAT from inside:172.17.23.121 to outside:64.250.19x.xx > > flags s idle 4:21:48 timeout 0:00:00 > > > > Judith Sanders > > Pioneer Telephone > > Inside Plant Networking Services > > jasand...@ptci.com <mailto:jasand...@ptci.com> 405.375.0645 > > */"Our lives change when our habits change."/* > > */ Matthew Kelly/* > > */ /* > > > > > > *From:* David White, Jr. (dwhitejr) [mailto:dwhit...@cisco.com] > *Sent:* Wednesday, May 09, 2012 12:51 PM > *To:* Antonio Soares > *Cc:* 'Peter Rathlev'; Judith Sanders; cisco-nsp@puck.nether.net > *Subject:* Re: [c-nsp] Timeout value on ASA > > > > Hi Antonio, > > The first output is showing "PATed" connections - or ones which have > been Port Address Translated. In this case, the xlate timeout is > hard-coded to 30 seconds, and is not user configurable. > > If instead you look at "NATed" connections, you will see the timeout > would be set to the user-configured value - 3 hours in your case. > > Hope that helps explain it. > > Sincerely, > > David. > > Antonio Soares wrote: > > Hi David, > > Can you elaborate a little more about the xlate timeout, it's something I > never understood very well. For example, taking this output as an example: > > ASA# sh xlate > 2 in use, 229 most used > Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - > twice > UDP PAT from IN:xxx.xxx.xxx.xxx/54337 to OUT:xxx.xxx.xxx.xxx/6630 flags ri > idle 0:00:01 timeout 0:00:30 > TCP PAT from IN:xxx.xxx.xxx.xxx/1028 to OUT:xxx.xxx.xxx.xxx/5281 flags ri > idle 0:00:13 timeout 0:00:30 > > Why do we see 30 seconds as the timeout ? By default it's 3 hours: > > ASA# sh runn timeout > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat > 0:05:00 > timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect > 0:02:00 > timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute > timeout tcp-proxy-reassembly 0:01:00 > timeout floating-conn 0:00:00 > ASA# > > timeout xlate: > > Configure idle time after which a dynamic address will be returned to the > free pool, default is 3:00:00 > > The output above was taken from an ASA. For example, this FWSM reflects the > timeout correctly as configured globally (25 minutes): > > FWSM# sh xlate debug > Flags: D - DNS, d - dump, I - identity, i - inside, n - no random, > o - outside, r - portmap, s - static > 45 in use, 281 most used > NAT from IN:172.23.254.149 to OUT:xxx.xxx.xxx.xxx flags i idle 0:06:35 > timeout 0:25:00 connections 1 > NAT from IN:172.23.254.155 to OUT:xxx.xxx.xxx.xxx flags i idle 0:00:54 > timeout 0:25:00 connections 0 > NAT from IN:172.23.254.167 to OUT:xxx.xxx.xxx.xxx flags i idle 0:00:14 > timeout 0:25:00 connections 6 > > This debug option is not available on the ASA. > > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S/SP) > amsoa...@netcabo.pt <mailto:amsoa...@netcabo.pt> > http://www.ccie18473.net > > > -----Original Message----- > From: cisco-nsp-boun...@puck.nether.net > <mailto:cisco-nsp-boun...@puck.nether.net> > [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of David White, Jr. > (dwhitejr) > Sent: terça-feira, 8 de Maio de 2012 23:20 > To: Peter Rathlev; Judith Sanders > Cc: 'cisco-nsp@puck.nether.net <mailto:cisco-nsp@puck.nether.net>' > Subject: Re: [c-nsp] Timeout value on ASA > > An alternative is to use Dead Connection Detection (DCD) on the ASA to > validate if both endpoints on the idle connection are still alive, and if so > reset the idle timeout, else tear it down. > > http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns > _connlimits.html#wp1080752 > > Additionally, one point for Peter. Increasing the idle conn timeout does > not require you to increase the xlate timeout. The xlate timeout only takes > effect once all conns associated to that xlate no longer exist. > > Sincerely, > > David. > > Peter Rathlev wrote: > > > Hi Judith, > > > > On Tue, 2012-05-08 at 19:16 +0000, Judith Sanders wrote: > > > > > > I have a Cisco ASA5520-I have an established VPN with a third party > > vendor. We are running applications over this tunnel and experiencing > > timeouts. The tunnel never drops, just the application. I know that > > there are default timeouts set on the ASA for certain protocols, but > > if the tunnel is established, would it not be an application issue > > and not a firewall/VPN timeout issue? > > > > > > The ASA defaults for TCP timeouts (1 hour IIRC) are not compliant with > > RFC 5782 "NAT Behavioral Requirements for TCP", a BCP. It specifies > > that the timeout "MUST NOT be less than 2 hours 4 minutes". Use > > "timeout conn 2:04:00" on the ASA to adjust. You might also want to > > consider adjusting the "timeout xlate" upwards at the same time. > > > > Informational level debugging can tell you if and why the ASA have > > torn down a session; the "ASA-6-302014" messsage ("Teardown TCP ...") > > states the specific reason. Look for "Conn-timeout", meaning that the > > TCP connection has been idle for too long and is therefore closed. > > > > Even with a 2:04:00 timeout you still need to convince the application > > developers to actually use TCP Keep-Alives. We have been forced to > > apply a 24 hour timeout for certain connections because the developers > > couldn't/wouldn't use Keep-Alives. A policy-map can select just the > > right connections, so you avoid a long timeout for every connection > > through the ASA. > > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > <mailto:cisco-nsp@puck.nether.net> > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > *************************** > This email message and any files transmitted with it are intended solely > for the use of the individual or entity for whom it is addressed. It > may contain confidential and privileged information. If you are not the > intended recipient, please contact the sender and destroy all paper and > electronic copies of this message and its contents. Any unauthorized > review, use, disclosure or distribution of this email or any file > attachments is strictly prohibited. > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/