Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1833
Views
0
Helpful
5
Replies

ASA vs PIX timeout

david_opalenik
Level 1
Level 1

‎08-09-2011 07:21 AM - edited ‎03-11-2019 02:09 PM

A few weeks ago, I replaced a PIX 515E with a pair of ASA 5520's.    We have a few basic web applications behind the ASA's.   Nothing complex;  just port 80/443 traffic.    During the swap, we basically just copied the config from the PIX to the ASA.   So the config is virtually identical.

Since the swap, we have one small set of users who gets timed out when trying to get to the application.    This small set of users are scattered across the state of Alaska, and they are all accessing the Internet via a satellite connection.   All other users across North America can access the application just fine.  

Since the satellite connections are relatively slow, but they worked fine when going through the PIX, I suspect the issue is a difference in the default TTL (or similar parameter) between the PIX and the ASA.

Does anyone know what this paramter would be.  I've been scratching my head for days on this.

Thanks!

Labels:
111500-show conn detail.txt.zip
0 Helpful
5 Replies 5

csaxena
Cisco Employee
Cisco Employee

‎08-09-2011 08:28 AM

Hello David,

Please share the outputs of "show run timeout" and "sho conn details" and what version of ASA are you using ?

- Chirag

0 Helpful

david_opalenik
Level 1
Level 1
In response to csaxena

‎08-09-2011 08:34 AM

Cisco Adaptive Security Appliance Software Version 8.0(4)

SPRO-ASA# show runn timeout

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

The output of "sho conn detail" is many pages long.   Should I filter output on

something to make it more helpful?   What specifically should I look for in the

output of "show conn detail"?

Thanks!

0 Helpful

csaxena
Cisco Employee
Cisco Employee
In response to david_opalenik

‎08-09-2011 08:40 AM

Please upload the file using "advanced editor" on top right.

0 Helpful

david_opalenik
Level 1
Level 1
In response to csaxena

‎08-09-2011 08:50 AM

Output of "show conn detail" was uploaded.

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to david_opalenik

‎08-23-2011 11:59 AM

Hi David,

Do you have a set of IP addresses facing this issue? You could try increasing the idle timeout for TCP connections using the timeout conn command though i find it highly improbably that the connections fomr the Alaska users is idle for 1 hour.

How long does the connection work before they start timing out?

Regards,

Prapanch

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card