https://community.cisco.com/t5/network-security/cut-through-proxy-uauth-timeout-question/m-p/1577297#M589216 <HTML><HEAD></HEAD><BODY><P>Hello Jim,</P><P></P><P>Correct me if I am wrong, but you can change only the timeout for the uauth without having actually to change the xlate timeout. This would make the firewall to maintain the uauth table for the amount of time you configure... the only thing that is not going to happen is that when your users go out to the internet they wont be prompted for username and password...</P><P></P><P>Hope this makes sense.</P><P></P><P>Mike</P></BODY></HTML> Tue, 23 Nov 2010 22:34:52 GMT Maykol Rojas 2010-11-23T22:34:52Z https://community.cisco.com/t5/network-security/cut-through-proxy-uauth-timeout-question/m-p/1577296#M589215 <P><SPAN style="background-color: #f8fafd;">We currently use a cut-through proxy-like feature on Juniper SSG firewalls for our guest wireless network that allows a seven day (168 hour) timeoout, which matches the DHCP lease time.&nbsp; This extended time is not a problem with the SSG since it maintains an auth table completely separate from the NAT/xlate table.&nbsp; </SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">I'm trying to implement the same function on an ASA 5520 failover pair, however I'm very reluctant to set 'timeout uauth 168:0:0 absolute' because I would be required to set 'timeout xlate 168:0:0' as well.&nbsp; I'm concerned that setting the xlate timeout that high would invite xlate table overruns and intermittent DOS through the firewall.</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">Is there any way to set the cut-through uauth timeout higher (or use a similar authentication function) without increasing the system-wide xlate timeout to match?&nbsp; If not, are my concerns about setting the xlate timeout so high valid?&nbsp; The ASAs are pretty highly utilized overall.</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">Thanks,</SPAN></P><P><SPAN style="background-color: #f8fafd;"><BR />Jim</SPAN></P> Mon, 11 Mar 2019 19:13:32 GMT https://community.cisco.com/t5/network-security/cut-through-proxy-uauth-timeout-question/m-p/1577296#M589215 jimsiff 2019-03-11T19:13:32Z https://community.cisco.com/t5/network-security/cut-through-proxy-uauth-timeout-question/m-p/1577297#M589216 <HTML><HEAD></HEAD><BODY><P>Hello Jim,</P><P></P><P>Correct me if I am wrong, but you can change only the timeout for the uauth without having actually to change the xlate timeout. This would make the firewall to maintain the uauth table for the amount of time you configure... the only thing that is not going to happen is that when your users go out to the internet they wont be prompted for username and password...</P><P></P><P>Hope this makes sense.</P><P></P><P>Mike</P></BODY></HTML> Tue, 23 Nov 2010 22:34:52 GMT https://community.cisco.com/t5/network-security/cut-through-proxy-uauth-timeout-question/m-p/1577297#M589216 Maykol Rojas 2010-11-23T22:34:52Z https://community.cisco.com/t5/network-security/cut-through-proxy-uauth-timeout-question/m-p/1577298#M589217 <HTML><HEAD></HEAD><BODY><P>Hi Mike,</P><P></P><P>I wish that were the case.&nbsp; When I try to set uauth timeout to 168 hours, I get an error because my xlate timeout is set much lower.&nbsp; It appears to me that the uauth timout is directly linked to the xlate timeout.&nbsp; I'm looking for a way to handle user authentication without setting the system-wide xauth timeout so high.</P><P></P><P>fw-bv-1(config)# timeout uauth 168:0:0 absolute<BR /><STRONG style="color: #ff0000; ">uauth timeout 168:00:00 cannot be greater than the xlate timeout 0:30:00<BR /></STRONG>Usage: timeout [xlate|conn|udp|icmp|sunrpc|h323|mgcp|sip|sip_media|uauth <HH> [...]]</HH></P><P></P><P>fw-bv-1# sri ^timeout<BR /><STRONG style="color: #ff0000; ">timeout xlate 0:30:00<BR /></STRONG>timeout conn 0:30:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02<BR />timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00<BR />timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00<BR />timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute<BR />timeout tcp-proxy-reassembly 0:01:00</P><P></P><P>Thanks,</P><P></P><P>Jim</P></BODY></HTML> Tue, 23 Nov 2010 22:53:07 GMT https://community.cisco.com/t5/network-security/cut-through-proxy-uauth-timeout-question/m-p/1577298#M589217 jimsiff 2010-11-23T22:53:07Z