ACE: idle timeout on routed connections

r.portela · ‎02-23-2012

Hello,

After reading a few post about this, I've been trying to test the procedure.

I configured an ACL for a test workstation, connecting to a RServer, simple by going through the ACE, and tried to change the idle_timeout, but can't seem to put it to work.

What I did:

access-list ACL_TCP_IDLE line 8 extended permit tcp host 172.26.112.193 any

access-list ACL_TCP_IDLE line 9 extended permit tcp any host 172.26.112.193 (for test purposes)

parameter-map type connection TCP_IDLE

set timeout inactivity 15

class-map match-all TCP_IDLE_CLASS

2 match access-list ACL_TCP_IDLE

After this, I tried putting the class into the existing policy, and also tried applying the service policy to the VLAN. Both don't seem to work.

Test 1:

policy-map multi-match server-policy

class .....

class TCP_IDLE_CLASS

connection advanced-options TCP_IDLE

Test 2:

policy-map multi-match TCP_CONN

class TCP_IDLE_CLASS

connection advanced-options TCP_IDLE

int VLAN Servers

service-policy input TCP_CONN

What seems stange is than looking to the ACL, it seems not to be active, and there are no hits:

access-list:ACL_TCP_IDLE, elements: 2, status: NOT-ACTIVE

remark :

access-list ACL_TCP_IDLE line 8 extended permit tcp host 172.26.112.193 any

access-list ACL_TCP_IDLE line 9 extended permit tcp any host 172.26.112.193

Has anyone done something like this ?

Daniel Arrondo Ostiz · ‎02-27-2012

Hi,

The ACL output you are getting is normal. An ACL will only show as active and log hits when it's directly applied on an interface to allow/deny traffic, not when it's used to define a class-map.

At first sight, the configuration you are using seems to be fine. How are you testing it? You should start by using the "show service-policy" command to see if this class is getting any hits. Then, if you see hits in this class, you should establish a connection and keep it idle, measuring the time it takes for it to be removed from the connection table.

I hope this helps

Daniel