cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


473
Views
10
Helpful
8
Replies
Highlighted
Contributor

ASA timeout commands

Dears,

 

My xlate are growing very faster I have plenty of IP address are doing lots of PAT and there are lots NAT commands with flags sIT idle 1157:53:39 timeout 0:00:00

 

TCP PAT from INSIDE:192.168.30.72/52890 to Internet:192.168.159.1/52890 flags ri idle 4:06:53 timeout 0:00:30
TCP PAT from INSIDE:192.168.30.72/52888 to Internet:192.168.159.1/52888 flags ri idle 4:06:54 timeout 0:00:30

NAT from any:192.168.244.0/24 to INSIDE:192.168.244.0/24
    flags sIT idle 1157:53:39 timeout 0:00:00

 

 

I have these command in the running config

timeout xlate 4:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10

 

Thanks

8 REPLIES 8
VIP Advisor

Re: ASA timeout commands

Can you please post the full global configuration to review. ( if not possible to post full config due to company policy)

 

please refer one for thread is usefull :

 

https://supportforums.cisco.com/t5/firewalling/reg-tcp-timeouts-in-asa/td-p/1479915

 

BB

BB
*** Rate All Helpful Responses ***
Contributor

Re: ASA timeout commands

thanks for the reply

 

my goal is to reach to the ip address which are generating lots of xlate, how I can reach them, there were no changes on the ASA timeouts they are on the default, there are some pc or server who are sending traffic by which it is generating xlates

 

thanks

Contributor

Re: ASA timeout commands

Dears

 

Please find the attached file there are 2 different NAT and PAT, can anybody explain me the timers for them and why there are  so much xlates from one IP address and their timers are reaching till hrs,

 

 

Contributor

Re: ASA timeout commands

Dear Experts

Awaiting for replies.

thanks

VIP Advocate RJI VIP Advocate
VIP Advocate

Re: ASA timeout commands

Hi,


The first NAT entry in your xlate text file example is a static NAT, this has a permanent xlate entry which is added to the xlate table when the object is created, it will never timeout. An xlate entry will exist regardless of whether you are using the object. If you unused static nat entries, you can delete them, therefore reducing the number of static entries.

 

Where as PAT, does not have a permanent xlate entry, an xlate entry is added to the xlate table dynamically once traffic is natted by matching the PAT rule. It has a 30 second xlate timeout, which will begin only when the last conn is removed.

 

This post has more information on this.

HTH

Contributor

Re: ASA timeout commands

Dears

thanks for the documents

 

timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

 

As expected by the commands above i trace one connection  and xlate it is working perfect when TCP connection timeout over at 1:00:00 and after 30 sec xlates disappears  , but few months before ASA was generating few xlates 809 and less than 1000 but not is reaching more than 7000,

 

How I can find the ip address that are generating too much traffic.

thanks

VIP Advocate RJI VIP Advocate
VIP Advocate

Re: ASA timeout commands

You could use the command "show local-host detail connection tcp 50" < this would display hosts that have more than 50 active tcp connections and the amount of bytes transferred. You can obviously use another value other than 50. Remove "tcp 50" would display all connections

 

HTH

Frequent Contributor

Re: ASA timeout commands

Very nice command (show local-host detail connection tcp 50) - I had no idea about it.
Thanks for the tips!