Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
226
Views
10
Helpful
1
Replies

ASA 9.4 tcp idle timeout under class in policy

andy!doesnt!like!uucp
Spotlight
Spotlight

‎11-16-2016 02:32 AM - edited ‎03-12-2019 01:32 AM

Hello Gents,

we have on our ASA huge number of connections which seems to be idle. Similar to below:
TCP INET_FW: XX.XXX.XXX.XXX/56535 INET_CORE: YY.YY.YY.YY/20406,
    flags UfIB , idle 1h3m, uptime 1h9m, timeout 15m0s, bytes 444

For this specific connections (on destination host/port) we configured actions under specific class in global policy:

    Class-map: YY.YY.YY.YY-20406
      Inspect: http, packet 133154, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 37 pkts/sec, v6-fail-close 0
      Set connection policy:         drop 0
      Set connection timeout policy:
        embryonic 0:00:40 half-closed 0:02:00 idle 0:05:00
        DCD: enabled, retry-interval 0:15:00, max-retries 5
        DCD: client-probe 0, server-probe 0, conn-expiration 0

So it seems like idle timeouts dont work. Can anybody explain this behavior and give hint on how to fight?

Thanks for any valuable input,

Labels:
1 Reply 1

andy!doesnt!like!uucp
Spotlight
Spotlight

‎11-16-2016 04:47 AM

resolved. DCD probes signal to ASA session is alive.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card