topic Hi, in Network Security

timeout ICMP issue - connection table exaust

optix-137 — Tue, 12 Mar 2019 06:57:08 GMT

Hi,

I'm trying to figure out why does my ASA have a ICMP timeout of 1 hour instead of default 2 seconds as stated in the documentation and cli.

fw-asa(config)# timeout icmp ?

configure mode commands/options:
<0:0:2> - <1193:0:0> Idle timeout for icmp, default is 0:00:02

Looking at the connections..

fw-asa# sh conn detail

ICMP Outside: 10.2.1.12/0 Inside: 10.10.10.15/17460,
, flags , idle 5s, uptime 5s, timeout 1h0m, bytes 56

...

Setting the timeout to any other value does not have any effect on this, and the timeout remains 1h.

This is creating quite a problem for me because I have an ICMP monitoring host in the network that is generating large amount of ICMP packets, and is filling up the connection table quite badly.

Am I missing something painfully obvious here?

Hadware is: ASA 5510 with Security Plus license

Software is: asa915-21-k8.bin

inspect icmp is disabled because of the asymmetric routing in the network..

Thank you!

optix

Hi,

Rishabh Seth — Thu, 26 Nov 2015 05:11:17 GMT

Hi,

Check output of show run | in timeout

In the output check the timeout of ICMP. If the timeout is set to 60 minutes then you can change it to 2 second.

Having such high timeout for ICMP can end up in exhaustion of session table.

Thanks,

Hi,

optix-137 — Thu, 26 Nov 2015 08:04:58 GMT

Hi,

There is currently no timeout icmp set, so it should default to 2 seconds. Either way, even if I set this to any value, timeout seen in the output of sh conn detail command remains 1h, and the connection table builds up.

Hi,

Rishabh Seth — Sat, 28 Nov 2015 05:11:30 GMT

Hi,

Can you share output of:

show run | i timeout

Thanks,

Hi,

optix-137 — Sat, 28 Nov 2015 10:56:07 GMT

Hi,

fw-asa# sh run | i timeout
arp timeout 14400
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
telnet timeout 5
ssh timeout 60
console timeout 0
vpn-idle-timeout 4320
anyconnect ask enable default anyconnect timeout 20
set connection timeout idle 1:00:00 reset
set connection timeout idle 1:00:00 reset
fw-asa#

Thanks,

optix

Hi Optix,

Akshay Rastogi — Sat, 28 Nov 2015 15:53:50 GMT

Hi Optix,

You have explicitly configured the 'idle' timeout to 1 hour. 'show run timeout' value shows the default timeout values.

please find the description below of the 'set connection timeout idle' command. It sets all the protocol's idle timeout to 1 hour :

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html#pgfId-1453113

Remove the same if do not wish to configure the same.

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate the helpful posts.

Hi Optix,

Rishabh Seth — Sat, 28 Nov 2015 20:18:03 GMT

Hi Optix,

Verify your policy map which is configured to alter idle timeout to 1 hour.

In case your classmap is configured to match all the traffic and you want to avoid ICMP traffic then you can add a deny statement for icmp.

Thanks

Hi Akshay & Rishabh

optix-137 — Sat, 28 Nov 2015 21:44:01 GMT

Hi Akshay & Rishabh

Thank you for your replies.

I had an class-default map configured to decrement ttl and disable tcp state check.

Also, I configured (from ASDM) tcp reset before idle and that caused a line 'set connection timeout idle 1:00:00 reset', I didn't have an intention to change the timeout values.

I believed that this section of options was only related to tcp - as the window in ASDM clearly says "TCP timeout".

Had no idea that this actually sets the timeout for all types of connections...

I think that it would be an understatement to say that this is a bit misleading.. 🙂

Anyway.. lesson learned.

Thanks again!

Best regards.