01-24-2007 04:19 AM
Hi Gilles,
is there a tcp idle timeout with exact 60 minutes within ACE Software for NON LB connections?
I have a certain TCP Connection from a FrontendServer to a certain Backend Server which gets a TCP RST every 60 minutes.
The application guys blame the network for this tcp reset. In my opinion all the timing values which are e.g. set in a connection map are only for the Ports designated within the corresponding loadbalancing rules.
So if i am not wrong any other connection traversing the ACE module should be treated as "simple" connection over any other layer 2/3 switch in a network with the exception that the ace is in charge for the routing of this network.
As i am not hundert percent sure that there isn't a timer comparable to the xlate timeout on PIX or ASA for idle sessions i thought maybe you have an idea.
Have a look at the attached textfile.
Thanks for reading
Roble
01-30-2007 07:57 AM
02-02-2007 05:24 AM
Just found what i have been looking for.
Quote:
The seconds argument specifies the time period after which the ACE disconnects idle established connections. Enter an integer from 0 to 4294967294 seconds. The defaults are:
?ICMP?2 seconds
?TCP?3600 seconds (1 hour)
?UDP?120 seconds (2 minutes)
03-03-2008 02:32 PM
Hi,
I can not open those links. Not available.
I have simmilar problem.
Oracle app servers behind ACE opens sessions to the database through the ACE back into the C6K Vlan. Those connections timed out and app sessions are dropped.
I can not find any option to change TCP timeout parameters for TCP sessions not load balanced but just routed or bridged.
Regards
Metod
03-04-2008 01:12 AM
you can catch the connections opened by your servers with an acl inside a class-map.
Then create a policy-map multimatch, use your class-map and set the connection parameter-map with the idle timeout value set to the value that you need.
Gilles.
01-29-2009 11:28 PM
Metod, did you ever have any luck with this? I'm running A2.1.3 and am running into the exact same problem.
Have even changed my tcp timeouts to 8 hours and still odd connection drops.
02-12-2009 05:14 AM
Hi,
I have filtered ot the hosts with ACL. Here is the part of the config.
----------------------------------
access-list ORADB line 8 extended permit tcp any
parameter-map type connection TIMEOUT
set timeout inactivity 43200
class-map match-all APP_TO_ORADB
2 match access-list ORADB
policy-map multi-match TCP_POLICY_ORADB
class APP_TO_ORADB
connection advanced-options TIMEOUT
interface vlan 220
description SERVER site
...
service-policy input TCP_POLICY_ORADB
...
10-01-2011 08:25 AM
Hi,
good information, but i have a doubt.
I have an existing policy L3/L4 multi-match like the one below.
I would like to increase the inactivity timeout on every TCP connections. Can i nest the new class map (match all) to my policy-map, as shown below in bold?
This can create problems for the existing policy?
Can you confirm me that i can apply only one L3L4 policy map to the interface Vlan?
In necessary to remove and apply the policy to see the effect of the new timeout?
Thanks in advance
Best Regards
policy-map multi-match L4_VIP3_POLICY
description Multi-Match VIPs on Vlan 18 to ServerFarms
class L4-FARM-RDP
loadbalance vip inservice
loadbalance policy L7-FARM-RDP
loadbalance vip icmp-reply active
class L4-FARM-RDP-TOKYO
loadbalance vip inservice
loadbalance policy L7-FARM-RDP-TOKYO
loadbalance vip icmp-reply active
class L4-FARM-RDP-NY
loadbalance vip inservice
loadbalance policy L7-FARM-RDP-NY
loadbalance vip icmp-reply active
class L4-FARM-RDP-KUALA
loadbalance vip inservice
loadbalance policy L7-FARM-RDP-KUALA
loadbalance vip icmp-reply active
class L4-FARM-RDP-NY
loadbalance vip inservice
loadbalance policy L7-FARM-RDP-NY
loadbalance vip icmp-reply active
class TCP-CLASS
connection advanced TCP-PARAM
where:
parameter-map type connection TCP-PARAM
set timeout inactivity 36000
class-map match-all TCP-CLASS
match port tcp any
10-01-2011 03:06 PM
Hi,
It is quite some time when I was dealing with this problem, so my answer is not really accurate.
I think you can add an additional class/class-map definition into existing policy-map without a problem.
As far as I remember you can put more policy maps to the interface, but I am not sure neither I know how they are processed then.
I also think you don't need to remove it and reapply.
But if you want to change the connection timeout parameter for all connections, then the easiest way is to do it globally with the command
set timeout inactivity seconds.
You can find more detailes in the configuration guide:
I hope this is somehow helpful
Best regards,
Metod
10-02-2011 05:14 AM
Yes.It should work post you apply the command.
Rgds,
10-07-2011 04:56 AM
Hi,
thanks for your interest, i found the correct solution.
You can enter the parameter map into existing class-map if you want to change only the timeout of these connections, as shown below (OUTPUT1).
Il you want to change the timeout for all sessions, you can add a class map as indicated in OUTPUT2.
You can filter with an ACL, to select the correct traffic.
Regards
OUTPUT1
policy-map multi-match L4_VIP3_POLICY
class L4-FARM-RDP-NY
loadbalance vip inservice
loadbalance policy L7-FARM-RDP-NY
loadbalance vip icmp-reply active
connection advanced TCP-PARAM
class L4-FARM-RDP-KUALA
loadbalance vip inservice
loadbalance policy L7-FARM-RDP-KUALA
loadbalance vip icmp-reply active
connection advanced TCP-PARAM
where:
parameter-map type connection TCP-PARAM
set timeout inactivity 86400
OUTPUT2
policy-map multi-match L4_VIP3_POLICY
class TCP-CLASS
connection advanced TCP-PARAM
class L4-FARM-RDP-NY
loadbalance vip inservice
loadbalance policy L7-FARM-RDP-NY
loadbalance vip icmp-reply active
class L4-FARM-RDP-KUALA
loadbalance vip inservice
loadbalance policy L7-FARM-RDP-KUALA
loadbalance vip icmp-reply active
where:
parameter-map type connection TCP-PARAM
set timeout inactivity 86400
class-map match-all TCP-CLASS
match port tcp any
02-12-2009 04:25 AM
Hi,
I was facing similar issues where as after 1 Hr all sorts of connections used to get dropped. Please do the below modifications to avoid this scenario:
=========================================
parameter-map type connection TCP
set timeout inactivity 86400
parameter-map type connection UDP
set timeout inactivity 86400
policy-map multi-match TCP-UDP-TIMEOUTS
class TCP-Connection
connection advanced-options TCP
class UDP-Connection
connection advanced-options UDP
service-policy input TCP-UDP-TIMEOUTS
Plz rate if it helps...
07-23-2009 05:25 AM
We saw a similiar problem with ORACLE connections on TCP port 1521. I believe that the following configuration only sets the TCP inactivety timeout for sourced IP addresses and TCP port 1521 (either direction). Gilles, can you confirm?
parameter-map type connection TCP-IDLE
set timeout inactivity 14400
class-map match-all REAL_SERVERS
2 match source-address 10.15.4.0 255.255.255.0
3 match port tcp eq 1521
policy-map multi-match TCP-INACTIVITY
class REAL_SERVERS
connection advanced-options TCP-IDLE
service-policy input TCP-INACTIVITY
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide