Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Firewalls Community


ASA TCP Idle Connection Timeout Suspense

Hello I upgraded our Cisco ASA 5520 with a Cisco ASA 5585. Though both ASA were configured with default TCP Idle Connection Timeout values people are now starting to complaint that idle SSH connections are being terminated. This is proper behavior but they were claiming it didn't occur with the old firewall. Our users are setting keepalives for 1800 seconds to get around this before I can bump the setting to infinite (setting 0). Is there a bug with the feature in older ASA OS?


Hi, Before looking for a bug



Before looking for a bug I would check the ASA logs (hopefully you are storing them to a separate Syslog server) and see why the connections are torn down (Teardown reason) and how long have they been on the ASAs connection table before they were torn down.


You also have the option to perform traffic capture on the ASA for the traffic in question and confirm why or which party terminates the connection.


I guess you can use the MPF on the ASA to configure separate idle timeouts for just these SSH Connections if you do not want to touch the global timeout values.


I have not run into any problems with the timeout settings on the older softwares. In the newer softwares (8.3+) I have run into these problems. In those situation the ASA has not removed the connection that have reached the timeout value. I have seen connection that have been idle for over 1000h.


- Jouni

Hello Jouni Forss,

Hello Jouni Forss,

recently we've got into the similar problem (ASA 9.4 doesnt tear down connections with >1h default and 5m configured for most of connections idle timer. Did u identify the reason why it happened?

Thank u,

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here