topic ACE: idle timeout on routed connections in Application Networking https://community.cisco.com/t5/application-networking/ace-idle-timeout-on-routed-connections/m-p/1880837#M36621 <P>Hello,</P><P></P><P>After reading a few post about this, I've been trying to test the procedure.</P><P>I configured an ACL for a test workstation, connecting to a RServer, simple by going through the ACE, and tried to change the idle_timeout, but can't seem to put it to work.</P><P></P><P>What I did:</P><P></P><P>access-list ACL_TCP_IDLE line 8 extended permit tcp host 172.26.112.193 any</P><P>access-list ACL_TCP_IDLE line 9 extended permit tcp any host 172.26.112.193&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (for test purposes)</P><P></P><P> parameter-map type connection TCP_IDLE</P><P>&nbsp; set timeout inactivity 15 </P><P></P><P>class-map match-all TCP_IDLE_CLASS</P><P>&nbsp; 2 match access-list ACL_TCP_IDLE&nbsp;&nbsp;&nbsp;&nbsp; </P><P></P><P></P><P>After this, I tried putting the class into the existing policy, and also tried applying the service policy to the VLAN. Both don't seem to work.</P><P></P><P>Test 1:</P><P></P><P>policy-map multi-match server-policy</P><P>&nbsp; class .....</P><P>&nbsp; class TCP_IDLE_CLASS</P><P>&nbsp;&nbsp;&nbsp; connection advanced-options TCP_IDLE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P></P><P></P><P>Test 2:</P><P></P><P>policy-map multi-match TCP_CONN</P><P>&nbsp; class TCP_IDLE_CLASS</P><P>&nbsp;&nbsp;&nbsp; connection advanced-options TCP_IDLE&nbsp;&nbsp;&nbsp; </P><P></P><P>int VLAN Servers</P><P>service-policy input TCP_CONN</P><P></P><P></P><P></P><P>What seems stange is than looking to the ACL, it seems not to be active, and there are no hits:</P><P></P><P>access-list:ACL_TCP_IDLE, elements: 2, status: NOT-ACTIVE</P><P>&nbsp; remark :</P><P>access-list ACL_TCP_IDLE line 8 extended permit tcp host 172.26.112.193 any</P><P>access-list ACL_TCP_IDLE line 9 extended permit tcp any host 172.26.112.193&nbsp;&nbsp; </P><P></P><P></P><P>Has anyone done something like this ?</P> Thu, 23 Feb 2012 13:48:49 GMT r.portela 2012-02-23T13:48:49Z ACE: idle timeout on routed connections https://community.cisco.com/t5/application-networking/ace-idle-timeout-on-routed-connections/m-p/1880837#M36621 <P>Hello,</P><P></P><P>After reading a few post about this, I've been trying to test the procedure.</P><P>I configured an ACL for a test workstation, connecting to a RServer, simple by going through the ACE, and tried to change the idle_timeout, but can't seem to put it to work.</P><P></P><P>What I did:</P><P></P><P>access-list ACL_TCP_IDLE line 8 extended permit tcp host 172.26.112.193 any</P><P>access-list ACL_TCP_IDLE line 9 extended permit tcp any host 172.26.112.193&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (for test purposes)</P><P></P><P> parameter-map type connection TCP_IDLE</P><P>&nbsp; set timeout inactivity 15 </P><P></P><P>class-map match-all TCP_IDLE_CLASS</P><P>&nbsp; 2 match access-list ACL_TCP_IDLE&nbsp;&nbsp;&nbsp;&nbsp; </P><P></P><P></P><P>After this, I tried putting the class into the existing policy, and also tried applying the service policy to the VLAN. Both don't seem to work.</P><P></P><P>Test 1:</P><P></P><P>policy-map multi-match server-policy</P><P>&nbsp; class .....</P><P>&nbsp; class TCP_IDLE_CLASS</P><P>&nbsp;&nbsp;&nbsp; connection advanced-options TCP_IDLE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P></P><P></P><P>Test 2:</P><P></P><P>policy-map multi-match TCP_CONN</P><P>&nbsp; class TCP_IDLE_CLASS</P><P>&nbsp;&nbsp;&nbsp; connection advanced-options TCP_IDLE&nbsp;&nbsp;&nbsp; </P><P></P><P>int VLAN Servers</P><P>service-policy input TCP_CONN</P><P></P><P></P><P></P><P>What seems stange is than looking to the ACL, it seems not to be active, and there are no hits:</P><P></P><P>access-list:ACL_TCP_IDLE, elements: 2, status: NOT-ACTIVE</P><P>&nbsp; remark :</P><P>access-list ACL_TCP_IDLE line 8 extended permit tcp host 172.26.112.193 any</P><P>access-list ACL_TCP_IDLE line 9 extended permit tcp any host 172.26.112.193&nbsp;&nbsp; </P><P></P><P></P><P>Has anyone done something like this ?</P> Thu, 23 Feb 2012 13:48:49 GMT https://community.cisco.com/t5/application-networking/ace-idle-timeout-on-routed-connections/m-p/1880837#M36621 r.portela 2012-02-23T13:48:49Z ACE: idle timeout on routed connections https://community.cisco.com/t5/application-networking/ace-idle-timeout-on-routed-connections/m-p/1880838#M36622 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The ACL output you are getting is normal. An ACL will only show as active and log hits when it's directly applied on an interface to allow/deny traffic, not when it's used to define a class-map. </P><P></P><P>At first sight, the configuration you are using seems to be fine. How are you testing it? You should start by using the "show service-policy" command to see if this class is getting any hits. Then, if you see hits in this class, you should establish a connection and keep it idle, measuring the time it takes for it to be removed from the connection table. </P><P></P><P>I hope this helps</P><P></P><P>Daniel</P></BODY></HTML> Mon, 27 Feb 2012 09:11:14 GMT https://community.cisco.com/t5/application-networking/ace-idle-timeout-on-routed-connections/m-p/1880838#M36622 Daniel Arrondo Ostiz 2012-02-27T09:11:14Z