topic TCP Idle Timeout in Network Security

TCP Idle Timeout

DEENA VERAPPAN — Tue, 21 Apr 2020 21:55:52 GMT

Hi All,

Hoping to get some help, and possible advice.

We have a ASA5585, running on our corporate network. As is the case with many organizations, we have a growing number of staff working from home. We have been experiencing dropout connections to our Oracle database for users logged in through VPN. I have analyzed some packet captures between the client and the server, and have not seen any disconnects, (FIN) from the client or the server. VPN group policies have been set to 4hours idle timeout. Is the way to check the TCP connection timeout on the ASA, and what is the default idle TCP connection timeout.

thanks for your help and advice.

Cheers

Re: TCP Idle Timeout

Sheraz.Salim — Tue, 21 Apr 2020 22:06:44 GMT

Default setting are below in ASA config. however you can change them according to your need.

timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10

Re: TCP Idle Timeout

DEENA VERAPPAN — Wed, 22 Apr 2020 17:33:36 GMT

thank you for the information that is very helpful.

Can I use DCD to keep the 1hr default idle time for Oracle connections?

Re: TCP Idle Timeout

Sheraz.Salim — Wed, 22 Apr 2020 19:23:37 GMT

check this link might this help you

https://community.cisco.com/t5/security-documents/asa-dead-connection-detection-dcd/ta-p/3154051

the other way around is create a custom rule. below is the example change it according to your needs

access-list oracle-hosts permit tcp host 172.26.x.x host 172.25.x.x (or make the access-list specific for a certain protocol)

class-map oracle-hosts
match access-list oracle-hosts
exit

policy-map global_policy
class oracle-hosts
set connection timeout tcp 0:0:0 reset (setting no timeout for the specific access-list, DCD will determine with probes if the session needs to be torn down)