Solved: ASA TCP timeout Timer

kthned · ‎01-26-2016

Hi

Can some one guide me or redirect me to a document where I can find the suitable TCP timeout timer for my ASA box. Currently it is set to 3600 seconds. Our resources are 5585 12 GB RAM (capable for 4 million connections) configured with two contexts. Though its just a starting days for ASA in our system, we are hitting 500,000 tcp connect (Most used).

But few user are complaining on connection drop ( shorter tcp timeout timer = 3600 sec) as there application (SSH, DB backup etc) timeout due to no such mechanism of keepalive.

So my question is what should be the optimal (conservative) timeout value for ASA box.

Hope someone reply Thanks !

Karsten Iwen · ‎01-26-2016

With 500k connections you are far away from the platform limit. So I assume that the problems are just caused by the applications that are idle for more then 3600s.

Increasing the timeout is the traditional way to address this problem (can be done globally or individually by MPF), but there is also the feature of Dead Connection Detection (DCD) that can help to keep these idle connection open in the ASA if they are still active.

View solution in original post

Karsten Iwen · ‎01-26-2016

With 500k connections you are far away from the platform limit. So I assume that the problems are just caused by the applications that are idle for more then 3600s.

Increasing the timeout is the traditional way to address this problem (can be done globally or individually by MPF), but there is also the feature of Dead Connection Detection (DCD) that can help to keep these idle connection open in the ASA if they are still active.

tonyf66 · ‎07-15-2019

I know the thread is old; however, I had not noticed anyone mention using a policy-map to keep certain connections or applications from timing out.

1. Create an access list for e.g. "ssh". (It could be an access list for certain IPs using a permit "tcp" access-list for all ports/apps' connections to and from certain IP addresses, etc).

access-list ssh_conn_time extended permit tcp host 192.168.100.120 any eq ssh
access-list ssh_conn_time extended permit tcp 192.168.200.0 255.255.255.0 192.168.225.0 255.255.255.0

; (all tcp connections on subnet 192.168.200.0/24 connecting to all of 192.168.225.0/24 will have a conn timeout

; set by the policy and class ssh_conn. For brevity, I used ssh for name but, one of the access-list lines allow for any tcp

; port.

2. Create a class-map (whatever you name it),
class-map ssh_conn_time
set connection timeout idle 12:00:00 dcd

match access-list ssh_conn_time

;(set this for however long you like, use ? to get values hr:min:secs)
;(the one above sets for 12 hours 0 mins 0 secs)

3. Now, add the class under you global_policy map
policy-map global_policy
class ssh_conn_time

4. Connections from the interesting traffic list will have timeout values set as configured. If you don't want to use the global policy map, configure accordingly.

Here is an old, old Cisco doc that talks about timeouts and limits, from the 8.2 days.
Chapter: Configuring Connection Limits and Timeouts