topic I just want to know concept in Network Security

What the function configure Connection timeout on ASA?

williammanurung — Tue, 12 Mar 2019 09:18:58 GMT

Hi guys,

I just want to know, what the exactly function command on below my ASA 5585-X:

timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00

What ASA will do after connection timeout?

Best regards,

William

After a timeout expires for a

Marvin Rhoads — Thu, 04 May 2017 09:08:24 GMT

After a timeout expires for a given xlate or connection, the ASA will either release the xlate or the drop the connection record from its internal tables and free up the memory and any other resources that it was using.

For xlates, that means any new traffic needing to be NATted will re-establish an xlate.

For connections, it means that the connection state will need to be re-established for any subsequent traffic. An active connection (or flow for stateless traffic like udp and icmp) means that the return traffic bypasses ACLs since it is know to be part of an existing allowed flow.

what the meaning of "timeout

williammanurung — Fri, 05 May 2017 07:34:17 GMT

what the meaning of "timeout expires"?

Is there end to end close connection?

Can you give me another example?

"timeout expires" means that

Marvin Rhoads — Fri, 05 May 2017 09:28:57 GMT

"timeout expires" means that the idle time for a given connection has counted down to 0:00:00 and is not longer considered active by the firewall. Accordingly it remove the record of connection from its connection table.

Only the two endpoints of an existing connection can close the connection. The ASA does not intervene and send a TCP FIN or anything like that for an existing connection table record that has become idle and had its timeout expired.

What is your reason for asking?

I just want to know concept

williammanurung — Sun, 07 May 2017 13:16:04 GMT

I just want to know concept of timeout connection in my asa.

What you say before, "Accordingly it remove the record of connection from its connection table" , we focus to "connection table", how can i see the connection table in my asa? whats the command?

You can show the connection

Marvin Rhoads — Sun, 07 May 2017 13:38:13 GMT

You can show the connection table with the command "show conn".

Just to add, when a

Ajay Saini — Sun, 07 May 2017 16:57:24 GMT

Just to add, when a connection is idle, the connection is removed from connection table after idle timeout expires as defined by

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

and the xlate timer kicks in once the connection is removed. So, the xlate is still present even when the connection is removed.

timeout xlate 3:00:00
timeout pat-xlate 0:00:30

As an example, when a connection goes into idle state, the connection entry is removed after 1 hour(assuming above config) and post 1 hour, the xlate will be cleared after 30 seconds or 3 hour depending upon if its a nat or pat.

A link that talks more:

https://supportforums.cisco.com/document/88256/understanding-xlate-and-conn-idle-and-timeout-values-through-example

HTH
-AJ

So, the meaning of the idle

williammanurung — Mon, 08 May 2017 06:17:45 GMT

So, the meaning of the idle connection is the end to end connect but no packet transfer?

What minimum packet have to transfer to be idle timer back to 00:00:00?

So, the meaning of the idle

Ajay Saini — Mon, 08 May 2017 12:18:24 GMT

So, the meaning of the idle connection is the end to end connect but no packet transfer?

yes

What minimum packet have to transfer to be idle timer back to 00:00:00?

there is no minimum packet transfer. The logic is that if there is an attempt from either side to transfer any finite number of bytes, it will make the restart the idle timeout value.

HTH

-AJ