Solved: ACE: Default Inactivity Timers

mullzkBern_2 · ‎06-06-2012

Hi everyone

We have a Problem with the default inactivity timeout values on our ACE A4.

A Web-Service of ours takes up to 12 Minutes for creating its reports. But after 300 secs, the ACE kills the connection and sends a Reset to Server and Client, due to Inactivity Timeout (see https://supportforums.cisco.com/thread/2140771).

As described in http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/tcpipnrm.html, we configured the inactivity timer on a parameter-map, which worked out fine:

parameter-map type connection HTTP_TIMEOUT

set timeout inactivity 3600

policy-map multi-match CLIENT-VIPs

class ZONE1.XY.Z_CM

loadbalance vip inservice

loadbalance policy ZONE1.XY.Z_PM

loadbalance vip icmp-reply active

connection advanced-options HTTP_TIMEOUT

But this works only for Connections with Virtual IPs - Direct (bridged) connections as the previously mentioned service are not affected by this configuration. Is there any way to change the Inactivity Paramter in a global way and not only for VIP-Connections?

Thanks in advance and greetings from Berne, Switzerland

Stefan Mueller

Our configuration:

system: Version A4(2.2) [build 3.0(0)A4(2.2) adbuild_15:26:12-2011/10/10_/auto/adbure_nightly4/renumber/rel_a4_2_2_throttle/REL_3_0_0_A4_2_2]

system image file: (hd0,1)/c4710ace-t1k9-mz.A4_2_2.bin

Device Manager version 4.2 (0) 20110907:2229

Jorge Bejarano · ‎06-06-2012

Hi,

Maybe you can take a look of this feature:

Configuring Inactivity Timeout for Connections in Switch Mode

Per CSCtf91257, the new switch-mode timeout command in configuration mode allows you to configure the inactivity timeout for TCP or UDP connections in Switch mode. The ACE forwards connections that do not match any VIP. In Switch mode, these connections have TCP normalization disabled and the inactivity timeout set to 2 hours and 15 minutes (8,100 seconds). Since UDP connections do not have a close protocol, this timeout defines their minimum lifetime. Therefore, this command was introduced to minimize the number of old connections, particularly UDP.

The syntax for this command is follows:

switch-mode timeout seconds

The seconds argument is the time period in seconds for idle connections after which the ACE disconnects the connection. Enter an integer from 1 to 65535. By default, the timeout is 8100 seconds.

For example, to configure a timeout of 10 seconds, enter the following command:

host/Admin(config)# switch-mode timeout 10

To reset the default timeout, enter the following command:

host/Admin(config)# no switch-mode timeout

Here you have the link where you can find extra details:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_1_0/configuration/security/guide/tcpipnrm.html

Hope this helps!!!

-------------------------------

Jorge

View solution in original post

gaursin2 · ‎06-06-2012

Hi,

Just a quick hint, create an ACL permiting our desire traffic, call that in a class map, call that class map in policy map and apply parameter map.

Jorge Bejarano · ‎06-06-2012

Hi,

Maybe you can take a look of this feature:

Configuring Inactivity Timeout for Connections in Switch Mode

Per CSCtf91257, the new switch-mode timeout command in configuration mode allows you to configure the inactivity timeout for TCP or UDP connections in Switch mode. The ACE forwards connections that do not match any VIP. In Switch mode, these connections have TCP normalization disabled and the inactivity timeout set to 2 hours and 15 minutes (8,100 seconds). Since UDP connections do not have a close protocol, this timeout defines their minimum lifetime. Therefore, this command was introduced to minimize the number of old connections, particularly UDP.

The syntax for this command is follows:

switch-mode timeout seconds

The seconds argument is the time period in seconds for idle connections after which the ACE disconnects the connection. Enter an integer from 1 to 65535. By default, the timeout is 8100 seconds.

For example, to configure a timeout of 10 seconds, enter the following command:

host/Admin(config)# switch-mode timeout 10

To reset the default timeout, enter the following command:

host/Admin(config)# no switch-mode timeout

Here you have the link where you can find extra details:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_1_0/configuration/security/guide/tcpipnrm.html

Hope this helps!!!

-------------------------------

Jorge

mullzkBern_2 · ‎06-15-2012

thanks a lot, this helped

(although it isn't a global command: you have to config this for switch-mode and config advanced option for every VIP. A bit more of a hassle than we hoped for, but it works fine)

pweichmann · ‎01-21-2013

Hi,

We have had to change the http and https timeouts for all traffic and could not do it per VIP as we many times load balance tcp/any.

Had to open a TAC case and I think it was what Gaurav has suggested. This way all http & https traffic got a different inactivity timeout. But in another case that I just now have opened it looks like this is not true for connections that go through the alias IP, i.e. routed mode (more specific in our case One-Arm routed (asymmetric traffic)).

Here is the config we use on all our contexts where we need all HTTP/HTTPs to have 3600 as their inactivity timeout:

parameter-map type connection CONN-TIMEOUT-3600

set timeout inactivity 3600

class-map match-all CONN-TIMEOUT-HTTP

match port tcp eq http

class-map match-all CONN-TIMEOUT-HTTPS

match port tcp eq https

policy-map multi-match CONN-TIMEOUT-HTTP-HTTPS

class CONN-TIMEOUT-HTTP

connection advanced-options CONN-TIMEOUT-3600

class CONN-TIMEOUT-HTTPS

connection advanced-options CONN-TIMEOUT-3600

service-policy input CONN-TIMEOUT-HTTP-HTTPS

The multi-match policy was assigned globally and is an additional one the the one where we define the VIPs.