I have a doubt on working with timeouts and state table.
Below is the Same output
ASA# show conn protocol tcp
101 in use, 5589 most used
TCP outside 10.23.232.59:5223 inside 192.168.1.3:52419, idle 0:00:11, bytes 0, flags saA
TCP outside 192.168.3.5:80 dmz 172.16.103.221:57646, idle 0:00:29, bytes 2176, flags UIO
TCP outside 10.23.232.217:5223 inside 192.168.1.3:52425, idle 0:00:10, bytes 0, flags saA
TCP outside 10.23.232.217:443 inside 192.168.1.3:52427, idle 0:01:02, bytes 4504, flags UIO
TCP outside 10.23.232.57:5223 inside 192.168.1.3:52412, idle 0:00:23, bytes 0, flags saA
TCP outside 10.23.232.116:5223 inside 192.168.1.3:52408, idle 0:00:23, bytes 0, flags saA
TCP outside 10.23.232.60:5223 inside 192.168.1.3:52413, idle 0:00:23, bytes 0, flags saA
TCP outside 10.23.232.96:5223 inside 192.168.1.3:52421, idle 0:00:11, bytes 0, flags saA
TCP outside 10.23.232.190:5223 inside 192.168.1.3:52424, idle 0:00:10, bytes 0, flags saA
In the Mentioned output of the command show conn.
What does idle mean ? and how does it works.
Each line represents a seperate connection and the idle timer indicates the elpased time since a packet relevant to that connection has passed through the ASA.
Let us consider the UDP packet crossed the firewall and there is no reply from destination and my TCP timeout is 2 Mins and i have configured embryonic timeout to be 40 mins and idle time out as 1 hr so in this will the connection table will exists till 1 hour or will be cleared after 2 Mins.
set connection embryonic-conn-max 3000
set connection timeout embryonic 0:40:00 idle 1:00:00
UDP and TCP are handled differently. There is no state with UDP so no concept of being embryonic (half-open).
UDP connections are cleared by configuring the UDP idle timeout:
! timeout udp <hh:mm:ss> !