cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
20625
Views
0
Helpful
10
Replies

Cisco ASA 5505 change protocol 443 timeout value ?

linas
Level 1
Level 1

i all,

I have installed Cisco asa 5505 as our company's firewall, and  from that day people with mobile devices started complainign that email is not working properly anymore. When i checked the server log i can see errors loged:

"The average of the most recent [200] heartbeat intervals used by clients is less than or equal to [540].  Make sure that your firewall configuration is set to work correctly with Exchange ActiveSync and direct push technology. Specifically, make sure that your firewall is configured so that requests to Exchange ActiveSync do not expire before they have the opportunity to be processed.  For more information about how to configure firewall settings when using Exchange ActiveSync, see Microsoft Knowledge Base article 905013, "Enterprise Firewall Configuration for Exchange ActiveSync Direct Push Technology" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=905013)."

So it is quite clear that cisco is terminating 443 sessions to early.

I am after spending 3hours on google, but cant find a simple answer how to increase 443(https) timeout value on cisco asa 5505 firewall?

Getting frustrated here. So is there a simple command u use to change timeout value for protocol 443 through firewall ?

In ASDM i van find timeout values but they are not related to https? am i right?

Thanks in advance !

Linas

10 Replies 10

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

Please try the following:

Please try the following:

access-list Exchange permit tcp any host

access-list Exchange permit tcp any host

class-map Exchange
match access-list Exchange
exit

policy-map global_policy
class Exchange
timeout
exit

Service-policy global_policy global

You can replace the with "0" if you want the connections to never

timeout.

Hope this helps.

Regards,

NT

For some reasons, if the message was sent from email client, the forum is truncating the response. Edited by: Nagaraja Thanthry

Hi Nagaraja Thanthry

when i get to here:

policy-map global_policy
class Exchange

>>>> timeout

i have no option to type in value:

ciscoasa(config-pmap-c)# timeout ?

configure mode commands/options:

  conn                   Configure idle time after which a TCP connection state

                         will be closed, default is 1:00:00

  h225                   Configure idle time after which an H.225 signaling

                         conn will be closed, default is 1:00:00

  h323                   Configure idle time after which an H.323 control

                         connection will be closed, default is 0:05:00

  half-closed            Configure idle time after which a TCP half-closed

                         connection will be freed, default is 0:10:00

  icmp                   Configure idle timeout for ICMP, default is 0:00:02

  mgcp                   Configure idle time after which an MGCP media

                         connection will be closed, default is 0:05:00

  mgcp-pat               Configure the time after which an MGCP PAT Xlate will

                         be removed, default is 0:05:00

  sip                    Configure idle time after which a SIP control

                         connection will be closed, default is 0:30:00

  sip-disconnect         Configure idle timeout after which SIP session is

                         deleted if 200 OK is not received for a CANCEL or BYE

                         message, default s 0:02:00

  sip-invite             Configure idle time after which pinholes for

                         PROVISIONAL responsesand media xlates will be closed,

                         default is 0:03:00

  sip-provisional-media  Configure idle time after which a SIP provisional

                         Media connection will be closed, default is 0:02:00

  sip_media              Configure idle time after which a SIP Media connection

                         will be closed, default is 0:02:00

  sunrpc                 Configure idle time after which a SUNRPC slot will be

                         closed, default is 0:10:00

  uauth                  Configure idle time after which an authentication will

                         no longer be cached and the user will need to

                         re-authenticate on their connection, default is

                         0:05:00. The default uauth timer is absolute.

  udp                    Configure idle time after which general UDP states

                         will be closed, default is 0:02:00, This timer does

                         not apply to DNS or SUNRPC

  xlate                  Configure idle time after which a dynamic address will

                         be returned to the free pool, default is 3:00:00

ciscoasa(config-pmap-c)# timeout policy-map global_policy

but none of these are https protocol thats were i have this mistery ? i can understand how should i decribe for this firewall that i want to do timeouts only for https trafic not for all tcp trafic :/ hrrr
What should i do?
here is my config that might help:
ciscoasa# sh running-config
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name abcd.local
enable password **** encrypted
passwd **** encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 81.7.78.74 255.255.255.0
!
interface Vlan3
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EET 2
dns server-group DefaultDNS
domain-name abcd.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RDP tcp
description Remote desktop connection
port-object eq 3389
access-list outside_access_in extended permit tcp any any eq https log debugging
access-list outside_access_in extended permit tcp any any eq smtp log debugging
access-list outside_access_in extended permit tcp any any object-group RDP
access-list exchange extended permit tcp any host a.b.c.d(wan ip)
access-list exchange extended permit tcp any host 192.168.1.10
pager lines 24
logging enable
logging list pirmas level critical
logging asdm informational
logging mail critical
logging from-address it@abcd.abcd
logging recipient-address abcd@abcd level errors
logging flash-bufferwrap
logging class ids mail emergencies
logging class np mail emergencies
logging class rm mail emergencies
logging class sys mail emergencies
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https 192.168.1.10 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.10 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.11 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 a.b.c.d(wanip)
timeout xlate 3:00:00
timeout conn 1:30:00 half-closed 0:30:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.100 inside
!
username admin password **** encrypted privilege 15
!
class-map exchange
match access-list exchange
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
class exchange
!
service-policy global_policy global
smtp-server 192.168.1.10
prompt hostname context
Cryptochecksum:34fc93e38ef953f966584a90a5d227ab
: end

Hello,

It should have been "timeout conn ". My bad. "Conn" parameter applies

to all TCP connections. The class-map we configured (with the access-lists)

will apply it to the specific traffic in question.

Hope this helps.

Regards,

NT

Hm, still reporting timeout on server :/

Hi,

Have you tried the class-map and policy-map commands as well? If so, what vlaue have you given for the timeout?

If it's still giving the same error, then i would suggest you to get the logs from the ASA when you notice the timeout occuring. That way we can see what the reason is for the connection timing out.

Regards,

Prapanch

praprama
Cisco Employee
Cisco Employee

Hi,

Take a look at the below link:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_connlimits.html#wp1080774

In the class map you can specify "htttps" traffic and then specify a timeout vlaue as the action under the policy-map class configuration:

set connection timeout idle hh:mm:ss

If you specify a value of "0", then the connections never timeout.Let me knwo if this helps.

Regards,

Prapanch

Hi Prapanch,

sorry i am not that good iin cisco so i am having a bit of difficult to understand the way you are trying to get this done, could you explain me more in detail please i would appreciate. as al this "class" thing is new to me when i was learning cisco we had simpler ways of doing things, i dont remember any class things going on.

I would really appreciate if you could tell me how do i tell router to increase time outs on https traffic only.

Thanks in advance both of you !

Linas

Hey Linas,

Basically your configuration will go somethng like this:

access-list HTTPS permit tcp any any eq 443


class-map HTTPS

match access-list HTTPS


policy-map global_policy

  class HTTPS

    set connection timeout tcp hh:mm:ss

The value you specify in hh:mm:ss will depend on the duration you want. if you set it to 0, then the connection never times out.

regards,

Prapanch

Hi Linas,

Did the above suggestion from Prapanch did finally work for you??

I am having the similar issue and need to confirm that.....i am also concerned will this change affect other https based applications?? also could not find the default connection timeout value for https:

the firewall does show default for tcp as 1 hour and i was expecting that https would be part of it.....

if you can come back to me fairly soon that would be highly appreciated as i need to get this resolved ASAP.

thanks in advance!

Regards,

mohit

Did this help? I am also seeing similar issues on my windows phone.

Review Cisco Networking for a $25 gift card