topic Connection timeout Cisco ASA in Network Security

Connection timeout Cisco ASA

pille1234 — Tue, 12 Mar 2019 05:38:35 GMT

Hallo,

in my Cisco ASA configuration I have the following (default) command:

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Based on this configuration I would expect to see all UDP connection to timeout after 2 minutes and ICMP connections after only 2 seconds. Yet I see alot of ICMP- and UDP-connections in my connection table that are alot older than these limits. In fact all these connections do time out after 1 hour exactly. I don't believe this is expected behaviour, but I am not sure. However I get close to the platform connection limit, so I would prefer the UDP and ICMP connections to ageout more aggressively.

Do you have any idea if this the correct behaviour?

Best regards

pille

Hi Pille,The timeout command

Kanwaljeet Singh — Mon, 16 Mar 2015 00:06:53 GMT

Hi Pille,

The timeout command is global command and the values should take effect globally to all traffic unless you have configured other timeout values for traffic using "set connection timeout". Kindly check on that.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_connlimits.html

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Hi,thank you for your

pille1234 — Mon, 16 Mar 2015 08:48:12 GMT

Hi,

thank you for your response. I do have configured the following global policy:

class-map global-class

match any

policy-map global_policy

class global-class
set connection timeout idle 1:00:00 reset dcd 0:15:00 5
set connection decrement-ttl

Does this configuration change the behaviour of UDP connections? It was my understanding that DCD is only working for TCP and not UDP or ICMP, but looking at the CLI commands I am not sure anymore.

Regards Pille

Hi Pille,

Kanwaljeet Singh — Mon, 16 Mar 2015 14:15:43 GMT

Hi Pille,

You have selected idle which will apply to all protocols. You need to specifiy TCP if you want it to take effect only on TCP. From the link i sent:

The idle hh:mm:ss keyword sets the idle timeout for all protocols between 0:5:0 and 1193:00:00. The default is 1:0:0. You can also set this value to 0, which means the connection never times out. For TCP traffic, the reset keyword sends a reset to TCP endpoints when the connection times out.

You should use something like:

hostname(config-pmap-c)# set connection timeout tcp x:x:x

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Hallo,

pille1234 — Mon, 16 Mar 2015 16:56:02 GMT

Hallo,

the keyword tcp is not available with ASA 9.1(5):

ASA/pri/act/CONTEXT(config-pmap-c)# set connection timeout ?

mpf-policy-map-class mode commands/options:
  dcd          Configure dead-connection-detection retry interval.
  embryonic    Configure absolute time after which an embryonic TCP connection
               will be closed, default is 0:00:30.
  half-closed  Configure idle time after which a TCP half-closed connection
               will be freed, default is 0:10:00
  idle         Configure idle time after which a connection state will be
               closed.
ASA/pri/act/CONTEXT(config-pmap-c)# set connection timeout

As a workaround I probably have to surrender the global class and use separte classes for UDP, TCP and ICMP, do you agree?

Regards Pille

Hi Pille,I haven't tried but

Kanwaljeet Singh — Mon, 16 Mar 2015 19:12:58 GMT

Hi Pille,

I haven't tried but logically that should be the way forward.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Thanks for your help. Regards

pille1234 — Mon, 16 Mar 2015 20:39:43 GMT

Thanks for your help.

Regards Pille

Re: Hi Pille,The timeout command

SmashOgre — Sat, 02 May 2020 03:51:52 GMT

broken link, I wish Cisco would stop moving crap around for the fun of it. Half of the the links I've clicked in the community are on Cisco's site and they are broken.