Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1830
Views
0
Helpful
3
Replies

Aggressively killing idle sessions

dbgreekas
Level 1
Level 1

‎05-18-2013 11:46 AM - edited ‎03-11-2019 06:45 PM

I have an internal problem due to a third party that is causing TCP session resets to not reach my boarder ASA. This is causing me problems on the Internet side as these connections hang around for up to 5min which appears to be the minimum TCP timeout allowed by an ASA for an established TCP session.

This traffic is being NATed and thus my public IP is bumping into open session limits with a remote party because of this...

Until I can correctly fix the internal issue (not under my control) is there any way i can kill off these sessions faster? When working correctly these sessions only last 15-30s and there a a lot of them, so the 5min idle timeout limit is killing me.

As far as I can tell changing dead link detection and xlate timeouts will not work since they happen AFTER the TCP ideal timeout (minimum 5min).

Any IDEAS? I do have a specific set of source addresses and one specific destination IP and port involved in this issue so making an aggressive change specific to this traffic would be ideal.

Labels:
0 Helpful
3 Replies 3

Maykol Rojas
Cisco Employee
Cisco Employee

‎05-19-2013 07:36 AM

Hi,

Well, the sessions should remain there only by the time specified by the RFC which would be 30s and the connection should go down with a message "SYN timeout".

With the show conn command you can see which connections are sitting idle.

With the show conn detail, you should see which TCP flags are held by that connection.

Would you be able to post one example of those TCP sessions that stay idle for 5 minutes?

Mike

Mike
0 Helpful

dbgreekas
Level 1
Level 1
In response to Maykol Rojas

‎05-19-2013 12:44 PM

Source and target IP obviscated to protect the innocent.   The flags are the same for each of the connections related to this issue.        

TCP Outside:1.1.1.1/443 transit-Inside:10.x.x.x/2674,

    flags UFRIO, idle 4m59s, uptime 5m1s, timeout 5m0s, bytes 2009

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to dbgreekas

‎05-19-2013 11:10 PM

Hi,

Maybe you can use this document to help with this case?

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_connlimits.html

Or had you tried this yet?

You should be able to match certain traffic and apply different timeout rules for that traffic without affecting the global settings

I quickly configured this on my home ASA and this is the ouput of the "show conn long" with one TCP connection to which the new timeout is applied

TCP WAN:y.y.y.y/443 (y.y.y.y/443) WLAN:10.0.255.20/57598 (x.x.x.x/57598), flags UIO, idle 27s, uptime 28s, timeout 1m0s, bytes 5635

You are able to set the timeout even in seconds. A simple test configuration I used to match ALL traffic (which probably isnt the case in your situation)

class-map CONNS

match any

policy-map global_policy

class inspection_default

class CONNS

  set connection timeout idle 0:01:00

Hope this helps

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card