Showing results for 
Search instead for 
Did you mean: 

ASA 5505 Firewall disconnecting inactive tcp session

Natalie Ramirez
Level 1
Level 1

My company has a DCS network that was previously segregated with a layer 3 switch and a handful of access lists.  However, there came this big push to segregate all DCS networks with Firewalls, so I purchased a 5505 and duplicated my simple access lists on the firewall and everything worked.  There is no NAT, just explicitly permitted traffic out and explicitly permitted traffic in.  However, there are some applications that connect and work fine for a few hours, then disconnect and the user must exit out of the application and go back into it, then it starts working again.  Previously with the Layer 3 Switch/access lists, this never happened.  Since I put the firewall in place, it has happened 3 to 4 times a day every day for the last week.

Any ideas?

4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni


First you could check the ASA syslog messages to see what reason it gives for terminating the connections. Or perhaps you have already done this on the basis of the topic?

You could check the output of command "show run timeout"

If they are on default values I guess you can consider increasing the "timeout" values for "xlate" and "conn"

Perhaps something like

timeout xlate 4:00:00

timeout conn 4:00:00

Or even more if you want.

Wether these global timeout configurations have negative efffect on the firewall performance depends on the number of hosts behind the firewall and the amount of connections they generate through the firewall.

- Jouni