https://community.cisco.com/t5/network-security/pix-timeout-conn-recommendations/m-p/298714#M610443 <HTML><HEAD></HEAD><BODY><P>Art,</P><P></P><P>Not a problem. I am not exactly sure what you mean by the question. The conn timer is the time that the PIX will allow the connection to sit idle before tearing it down. If we see traffic flow across this connection, the timer resets to 0. If we reach the configured time and the timer has not been reset, the connection gets torn down. Does this answer your question at all?</P><P></P><P>Scott</P></BODY></HTML> Tue, 09 Dec 2003 21:04:20 GMT scoclayton 2003-12-09T21:04:20Z https://community.cisco.com/t5/network-security/pix-timeout-conn-recommendations/m-p/298711#M610440 <P>Hi,</P><P></P><P>What are the possible performance problems and security issues with increasing the timeout values (conn especially)?</P><P></P><P>Are there any recommendations as to the max values? I cannot find anything other than syntax on the web site. </P> Fri, 21 Feb 2020 07:08:47 GMT https://community.cisco.com/t5/network-security/pix-timeout-conn-recommendations/m-p/298711#M610440 aemr 2020-02-21T07:08:47Z https://community.cisco.com/t5/network-security/pix-timeout-conn-recommendations/m-p/298712#M610441 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The defualt values are the recommended values under normal circumstances but we do realize that there are some situations where these values will not work. From a Security standpoint and performance standpoint, you probably will not see any change when bumping the conn timeout upa bit. The only real difference is that the PIX will wait longer before tearing down connections that have gone idle. You *could* see more conns stored which will eat more memory but in most cases, this will probably be negligable. Most PIX installations have very few conns that time out due to the idle timer being reached unless there is some application that passes across the PIX that is left open and un-used for long periods of time. Hope this helps.</P><P></P><P>Scott</P></BODY></HTML> Tue, 09 Dec 2003 20:04:49 GMT https://community.cisco.com/t5/network-security/pix-timeout-conn-recommendations/m-p/298712#M610441 scoclayton 2003-12-09T20:04:49Z https://community.cisco.com/t5/network-security/pix-timeout-conn-recommendations/m-p/298713#M610442 <HTML><HEAD></HEAD><BODY><P>Thank you Scott,</P><P></P><P>Last Q...</P><P></P><P>What is the relationship between the connection and idle timeouts?</P><P></P><P>Thanks again,</P><P></P><P>Art</P></BODY></HTML> Tue, 09 Dec 2003 20:47:10 GMT https://community.cisco.com/t5/network-security/pix-timeout-conn-recommendations/m-p/298713#M610442 aemr 2003-12-09T20:47:10Z https://community.cisco.com/t5/network-security/pix-timeout-conn-recommendations/m-p/298714#M610443 <HTML><HEAD></HEAD><BODY><P>Art,</P><P></P><P>Not a problem. I am not exactly sure what you mean by the question. The conn timer is the time that the PIX will allow the connection to sit idle before tearing it down. If we see traffic flow across this connection, the timer resets to 0. If we reach the configured time and the timer has not been reset, the connection gets torn down. Does this answer your question at all?</P><P></P><P>Scott</P></BODY></HTML> Tue, 09 Dec 2003 21:04:20 GMT https://community.cisco.com/t5/network-security/pix-timeout-conn-recommendations/m-p/298714#M610443 scoclayton 2003-12-09T21:04:20Z https://community.cisco.com/t5/network-security/pix-timeout-conn-recommendations/m-p/298715#M610444 <HTML><HEAD></HEAD><BODY><P>We bumped our xlate value up to 6 hours. Then I dump the xlate table every 6 hours using a TCL/expect script. Then I correlate my DHCP logs with the xlate entries. Purpose being to track a user down by the global IP address they were surfing with. Anybody have any comments about the accuracy of doing this? The concept to use this info for enforcement purposes. </P></BODY></HTML> Tue, 09 Dec 2003 21:35:25 GMT https://community.cisco.com/t5/network-security/pix-timeout-conn-recommendations/m-p/298715#M610444 dlac455 2003-12-09T21:35:25Z https://community.cisco.com/t5/network-security/pix-timeout-conn-recommendations/m-p/298716#M610445 <HTML><HEAD></HEAD><BODY><P>Yes that does Scott. Sorry about the poor wording. I appreciate the help.</P><P></P><P>Art</P></BODY></HTML> Tue, 09 Dec 2003 21:41:47 GMT https://community.cisco.com/t5/network-security/pix-timeout-conn-recommendations/m-p/298716#M610445 aemr 2003-12-09T21:41:47Z