topic Re: PIX Timeout Values in Network Security

PIX Timeout Values

kkalaycioglu — Fri, 21 Feb 2020 07:15:30 GMT

What's the difference between xlate and conn timeout? If xlate timeout is 3 hours and conn timeout is 1 hour. An idle tcp connection will always be timed out by conn timeout? Am I wrong?

Best Regards.

Re: PIX Timeout Values

peangvall — Thu, 26 Feb 2004 19:54:00 GMT

An xlate is a dynamic NAT, a conn is a tcp connection. You always want the xlate timeout value to be higher than the conn timeout. And you are correct, the idle tcp will be terminated by the conn timeout. Once the xlate timeout expires, the inside IP can/will be nat'd to a different global IP next time it issues new traffic.

Re: PIX Timeout Values

kkalaycioglu — Mon, 01 Mar 2004 09:34:13 GMT

OK then, if TCP (conn) times out, does PIX silently erase this conn from the table and refuse additional TCP segments of this conn? OR informs parties involved in TCP connection?

Regards.

Re: PIX Timeout Values

8dstaicu — Mon, 01 Mar 2004 12:18:11 GMT

it silently discard the connection. There are no RST send to source/destination. The role is to clear from memory "dead" connections. A normal terminated connection (rst-rstack) is cleared from pix memory at that time. This timeout should not be set to low cause it will kill long ftp transfers and so on.

Timeout for xlate clear also all reference about a host including up connections.