Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7537
Views
0
Helpful
7
Replies

Connection gets dropped exactly after 5 minutes for the application hosted behind ACE 4710

Saroj Pariyar
Level 1
Level 1

‎04-15-2013 08:45 PM

Hi Guys,

I am going through some strange issue.There is one application hosted behind Cisco ACE 4710 and when application team try to access the application the connection gets dropped exactly after 5 minutes.But when they try to access the application directly through the server(bypassing the cisco ACE) the connection doesnot get dropped.The configuration is pretty straightforward,nothing fancy.if anyone has faced this similar issue before with Cisco ACE 4710 Please let me know.

probe tcp TCP_8101

  port 8101

  interval 10

  faildetect 5

  passdetect interval 40

  open 1

class-map match-all app_ASPEN_DCT_PREProd_class

  2 match virtual-address x.x.x.x tcp eq https

serverfarm host app_ASPEN_DCT_PREProd

  probe TCP_8101

  rserver servername1 8101

    inservice

  rserver servername2 8101

    inservice

policy-map type loadbalance first-match app_ASPEN_DCT_PREProd_policy

  class class-default

    serverfarm app_ASPEN_DCT_PREProd

policy-map multi-match POLICY-LB-VLAN488

class app_ASPEN_DCT_PREProd_class

    loadbalance vip inservice

    loadbalance policy app_ASPEN_DCT_PREProd_policy

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 488

Thanks

Labels:
0 Helpful
7 Replies 7

sivaksiv
Cisco Employee
Cisco Employee

‎04-15-2013 10:29 PM

Hi,

The default inactivity timeout are as

follows: TCP:3600sec UDP:120secs ICMP:2sec

These are inactivity timeouts, meaning if the connections are idle for these many seconsds then the connection will be dropped.

If you need a different TCP timeout value, you can change it using the follwoing example

To change TCP idle timeout to 5 minutes

parameter-map type connection TCP-PARAM

set timeout inactivity 300

class-map match-all TCP-CLASS

match port tcp any

policy-map multi-match VIP

class TCP-CLASS

connection advanced TCP-PARAM

-

Siva

0 Helpful

Saroj Pariyar
Level 1
Level 1
In response to sivaksiv

‎04-16-2013 12:11 PM

Hi Siva,

As per the cisco document,

Starting with software  version A4(1.0), the default connection inactivity timeout settings for  the ACE have changed to the following values:

ICMP—2 seconds

TCP—3600 seconds (1 hour)

HTTP/SSL—300 seconds

UDP—10 seconds

How to increase the HTTP/SSL default timeout value of 300 Second to more ?? I tried to increase the timeout value for HTTP/SSL only,but ACE doesnot have any option

nuspthtestlds001/Admin(config-parammap-conn)# set timeout inactivity ?

  <0-3217203>  Inactivity (TCP 3600, HTTP/SSL 300, UDP 10, ICMP 2)

If i set value let's say 500 does it apply for all TCP,HTTP/SSL,UDP and ICMP.

Please suggest.

0 Helpful

ajayku2
Cisco Employee
Cisco Employee
In response to Saroj Pariyar

‎04-17-2013 11:22 AM

Hi Saroj,

If you are running 5.x then you also have a option to add the parameter map globally.

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_x/release/note/ACE_mod_rn_A51x.html

read section :

Globally Applying Parameter Map Inactivity and TCP Half-Closed Connection Timeout Values

If you want to apply it for specific VIP then you should apply as follows:

parameter-map type connection connection_pm

  set timeout inactivity 600


serverfarm host TEST_SERVERFARM
probe TCP-80-PROBE
rserver TEST 80
inservice


class-map match-all TEST_CM
2 match virtual-address 10.72.54.19 tcp eq  80


policy-map type loadbalance first-match TEST-PM
   class class-default
     serverfarm TEST_SERVERFARM


policy-map multi-match POLICY
class TEST_CM
loadbalance vip inservice
loadbalance policy TEST-PM
loadbalance vip icmp-reply active
connection advanced-options connection_pm

Hope that helps.

regards,

Ajay Kumar

0 Helpful

Saroj Pariyar
Level 1
Level 1
In response to ajayku2

‎04-17-2013 08:11 PM

Hi Ajay,

Appreciated your quick response

Will it change HTTPS inactivity timeout too ??? or will this change TCP inactivity timeout. For my issue i need to change the HTTPS timeout inactivity timeout. Could you please suggest how to do that ??

Thanks

0 Helpful

ajayku2
Cisco Employee
Cisco Employee
In response to Saroj Pariyar

‎04-18-2013 12:16 AM

Hi Saroj,

Before applying the parameter  map :

ace30/Admin# sh parameter-map CONN

Parameter-map : CONN

Description : -

Type : connection

    nagle                              : disabled

    slow start                         : disabled

    buffer-share size                  : 32768

   inactivity timeout (seconds)       : TCP: 3600, UDP: 10, ICMP: 2, HTTP/SSL: 300

    reassembly timeout (seconds)       : 60

    embryonic timeout (seconds)        : 5

    ack-delay (milliseconds)           : 200

    WAN Optimization RTT (milliseconds): 65535

    half-closed timeout (seconds)      : 3600

    fast FIN timeout (seconds)         : disabled

    TOS rewrite                        : disabled

    syn retry count                    : 4

    TCP MSS min                        : 0

    TCP MSS max                        : 1460

    tcp-options drop range             : 0-0

    tcp-options allow range            : 0-0

    tcp-options clear range            : 1-255

    selective-ack                      : clear

    timestamp                          : clear

    window-scale                       : clear

    window-scale factor                : 0

    reserved-bits                      : allow

    random-seq-num                     : enabled

    SYN data                           : allow

    full-proxy-mss-mismatch            : disabled

    exceed-mss                         : drop

    urgent-flag                        : allow

    conn-rate-limit                    : disabled

    bandwidth-rate-limit               : disabled

ace30/Admin#

After applying the parameter map :

ace30/Admin(config)# parameter-map type connection CONN

ace30/Admin(config-parammap-conn)# set timeout inactivity 600

ace30/Admin(config-parammap-conn)# end

ace30/Admin#

ace30/Admin# sh parameter-map CONN

Parameter-map : CONN

Description : -

Type : connection

    nagle                              : disabled

    slow start                         : disabled

    buffer-share size                  : 32768

    inactivity timeout (seconds)       : 600  <<< You will notice that the value has changed for all

    reassembly timeout (seconds)       : 60

    embryonic timeout (seconds)        : 5

    ack-delay (milliseconds)           : 200

    WAN Optimization RTT (milliseconds): 65535

    half-closed timeout (seconds)      : 3600

    fast FIN timeout (seconds)         : disabled

    TOS rewrite                        : disabled

    syn retry count                    : 4

    TCP MSS min                        : 0

    TCP MSS max                        : 1460

    tcp-options drop range             : 0-0

    tcp-options allow range            : 0-0

    tcp-options clear range            : 1-255

    selective-ack                      : clear

    timestamp                          : clear

    window-scale                       : clear

    window-scale factor                : 0

    reserved-bits                      : allow

    random-seq-num                     : enabled

    SYN data                           : allow

    full-proxy-mss-mismatch            : disabled

    exceed-mss                         : drop

    urgent-flag                        : allow

    conn-rate-limit                    : disabled

    bandwidth-rate-limit               : disabled

So to answer your question the suggested changes will change timeout for HTTPS inactivity timeout also.

regards,

Ajay Kumar

0 Helpful

mnettlesNTTA
Level 1
Level 1
In response to ajayku2

‎07-02-2015 06:16 PM

Is there anyway to increase JUST the http/ssl portion.

 

What I would really want is to change:

inactivity timeout (seconds)       : TCP: 3600, UDP: 10, ICMP: 2, HTTP/SSL: 300

 

to

inactivity timeout (seconds)       : TCP: 3600, UDP: 10, ICMP: 2, HTTP/SSL: 1800

 

 

 

0 Helpful

sivaksiv
Cisco Employee
Cisco Employee
In response to mnettlesNTTA

‎07-07-2015 02:17 AM

This is how you apply timeouts for http connections

policy-map multi-match HTTP
  class HTTP
    connection advanced-options HTTP

class-map match-any HTTP
  2 match port tcp eq www

parameter-map type connection HTTP
  set timeout inactivity 1200

Then apply this service-policy globally or in the interface from where the traffic is
coming in
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card