Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
754
Views
0
Helpful
2
Replies

ACE Load-balancers and TCP inactivity timeout

mnettlesNTTA
Level 1
Level 1

‎07-06-2015 06:28 PM

We know the default TCP Idle timeouts are: inactivity timeout (seconds)       : TCP: 3600, UDP: 10, ICMP: 2, HTTP/SSL: 300

 

My question is there any way to change JUST the http/S setting,  I.E. make the timeouts:

inactivity timeout (seconds)       : TCP: 3600, UDP: 10, ICMP: 2, HTTP/SSL: 1800

 

 

Right now making a class map to match http and https, but woudl be real nice if I could set the global system wide parameters to:

inactivity timeout (seconds)       : TCP: 3600, UDP: 10, ICMP: 2, HTTP/SSL: 1800

Rather then setting the system wide parameters to:

inactivity timeout (seconds)       :1800

Labels:
0 Helpful
2 Replies 2

mnettlesNTTA
Level 1
Level 1

‎07-09-2015 06:09 PM

Unfortunately I only have a live system,  so can't easily test, but I have worked out the below is somebody could agree that it would do what I think (change idle timeout for http and https for all inbound traffic on the respective interfaces)

 

parameter-map type connection PAMAP_HTTP_SSL_1800 set timeout inactivity 1800

 

class-map match-any CMAP_HTTP_SSL

  match port tcp eq https

  match port tcp eq http

 

policy-map multi-match PMAP_HTTP_SSL_1800

  description Custom HTTP/S Idle Timeout Value

  class CMAP_HTTP_SSL

    connection advanced-options PAMAP_HTTP_SSL_1800

 

interface vlan 123

service-policy input PMAP_HTTP_SSL_1800

interface vlan 629

service-policy input PMAP_HTTP_SSL_1800

interface vlan 630

service-policy input PMAP_HTTP_SSL_1800

interface vlan 641

service-policy input PMAP_HTTP_SSL_1800

interface vlan 642

service-policy input PMAP_HTTP_SSL_1800

 

 

(Edit: corrected class-map syntax)

0 Helpful

mnettlesNTTA
Level 1
Level 1
In response to mnettlesNTTA

‎07-09-2015 06:20 PM

As a bonus can somebody confirm how to change it to apply not to all http/https traffic but specific IP/networks

 

I think it would be:

 

ip access-list extended TCP_IDLE_TIMEOUT

 permit tcp any host x.x.x.x eq http

 permit tcp any host  x.x.x.x eq https

 

and then change class-map to:

 

class-map match-any CMAP_HTTP_SSL

 description Destination IP for PMAP_HTTP_SSL_1800

 match access-list TCP_IDLE_TIMEOUT

 

 

My concern would be (more used to ACLs then policy/class maps)....  is this going to deny traffic that does not match the above?

 

 

 

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card