Cisco ASA 5505 change protocol 443 timeout value ?

linas · ‎08-19-2010

i all,

I have installed Cisco asa 5505 as our company's firewall, and from that day people with mobile devices started complainign that email is not working properly anymore. When i checked the server log i can see errors loged:

"The average of the most recent [200] heartbeat intervals used by clients is less than or equal to [540]. Make sure that your firewall configuration is set to work correctly with Exchange ActiveSync and direct push technology. Specifically, make sure that your firewall is configured so that requests to Exchange ActiveSync do not expire before they have the opportunity to be processed. For more information about how to configure firewall settings when using Exchange ActiveSync, see Microsoft Knowledge Base article 905013, "Enterprise Firewall Configuration for Exchange ActiveSync Direct Push Technology" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=905013)."

So it is quite clear that cisco is terminating 443 sessions to early.

I am after spending 3hours on google, but cant find a simple answer how to increase 443(https) timeout value on cisco asa 5505 firewall?

Getting frustrated here. So is there a simple command u use to change timeout value for protocol 443 through firewall ?

In ASDM i van find timeout values but they are not related to https? am i right?

Thanks in advance !

Linas

Nagaraja Thanthry · ‎08-19-2010

Hello,

Please try the following:

access-list Exchange permit tcp any host

class-map Exchange
match access-list Exchange
exit

policy-map global_policy
class Exchange
timeout
exit

Service-policy global_policy global

You can replace the with "0" if you want the connections to never

timeout.

Hope this helps.

Regards,

NT

For some reasons, if the message was sent from email client, the forum is truncating the response. Edited by: Nagaraja Thanthry

linas.ramanauskas · ‎08-19-2010

Hi Nagaraja Thanthry

when i get to here:

policy-map global_policy
class Exchange

>>>> timeout

i have no option to type in value:

ciscoasa(config-pmap-c)# timeout ?

configure mode commands/options:

conn Configure idle time after which a TCP connection state

will be closed, default is 1:00:00

h225 Configure idle time after which an H.225 signaling

conn will be closed, default is 1:00:00

h323 Configure idle time after which an H.323 control

connection will be closed, default is 0:05:00

half-closed Configure idle time after which a TCP half-closed

connection will be freed, default is 0:10:00

icmp Configure idle timeout for ICMP, default is 0:00:02

mgcp Configure idle time after which an MGCP media

connection will be closed, default is 0:05:00

mgcp-pat Configure the time after which an MGCP PAT Xlate will

be removed, default is 0:05:00

sip Configure idle time after which a SIP control

connection will be closed, default is 0:30:00

sip-disconnect Configure idle timeout after which SIP session is

deleted if 200 OK is not received for a CANCEL or BYE

message, default s 0:02:00

sip-invite Configure idle time after which pinholes for

PROVISIONAL responsesand media xlates will be closed,

default is 0:03:00

sip-provisional-media Configure idle time after which a SIP provisional

Media connection will be closed, default is 0:02:00

sip_media Configure idle time after which a SIP Media connection

will be closed, default is 0:02:00

sunrpc Configure idle time after which a SUNRPC slot will be

closed, default is 0:10:00

uauth Configure idle time after which an authentication will

no longer be cached and the user will need to

re-authenticate on their connection, default is

0:05:00. The default uauth timer is absolute.

udp Configure idle time after which general UDP states

will be closed, default is 0:02:00, This timer does

not apply to DNS or SUNRPC

xlate Configure idle time after which a dynamic address will

be returned to the free pool, default is 3:00:00

ciscoasa(config-pmap-c)# timeout policy-map global_policy

but none of these are https protocol thats were i have this mistery ? i can understand how should i decribe for this firewall that i want to do timeouts only for https trafic not for all tcp trafic :/ hrrr

What should i do?

here is my config that might help:

ciscoasa# sh running-config

: Saved

:

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name abcd.local

enable password **** encrypted

passwd **** encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 81.7.78.74 255.255.255.0

!

interface Vlan3

nameif dmz

security-level 50

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone EET 2

dns server-group DefaultDNS

domain-name abcd.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service RDP tcp

description Remote desktop connection

port-object eq 3389

access-list outside_access_in extended permit tcp any any eq https log debugging

access-list outside_access_in extended permit tcp any any eq smtp log debugging

access-list outside_access_in extended permit tcp any any object-group RDP

access-list exchange extended permit tcp any host a.b.c.d(wan ip)

access-list exchange extended permit tcp any host 192.168.1.10

pager lines 24

logging enable

logging list pirmas level critical

logging asdm informational

logging mail critical

logging from-address it@abcd.abcd

logging recipient-address abcd@abcd level errors

logging flash-bufferwrap

logging class ids mail emergencies

logging class np mail emergencies

logging class rm mail emergencies

logging class sys mail emergencies

mtu inside 1500

mtu outside 1500

mtu dmz 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface https 192.168.1.10 https netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.10 smtp netmask 255.255.255.255

static (inside,outside) tcp interface 3389 192.168.1.11 3389 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 a.b.c.d(wanip)

timeout xlate 3:00:00

timeout conn 1:30:00 half-closed 0:30:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.100 inside

!

username admin password **** encrypted privilege 15

!

class-map exchange

match access-list exchange

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

class exchange

!

service-policy global_policy global

smtp-server 192.168.1.10

prompt hostname context

Cryptochecksum:34fc93e38ef953f966584a90a5d227ab

: end

Nagaraja Thanthry · ‎08-19-2010

Hello,

It should have been "timeout conn ". My bad. "Conn" parameter applies

to all TCP connections. The class-map we configured (with the access-lists)

will apply it to the specific traffic in question.

Hope this helps.

Regards,

NT

linas.ramanauskas · ‎08-23-2010

Hm, still reporting timeout on server :/

praprama · ‎08-23-2010

Hi,

Have you tried the class-map and policy-map commands as well? If so, what vlaue have you given for the timeout?

If it's still giving the same error, then i would suggest you to get the logs from the ASA when you notice the timeout occuring. That way we can see what the reason is for the connection timing out.

Regards,

Prapanch

praprama · ‎08-19-2010

Hi,

Take a look at the below link:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_connlimits.html#wp1080774

In the class map you can specify "htttps" traffic and then specify a timeout vlaue as the action under the policy-map class configuration:

set connection timeout idle hh:mm:ss

If you specify a value of "0", then the connections never timeout.Let me knwo if this helps.

Regards,

Prapanch

linas.ramanauskas · ‎08-19-2010

Hi Prapanch,

sorry i am not that good iin cisco so i am having a bit of difficult to understand the way you are trying to get this done, could you explain me more in detail please i would appreciate. as al this "class" thing is new to me when i was learning cisco we had simpler ways of doing things, i dont remember any class things going on.

I would really appreciate if you could tell me how do i tell router to increase time outs on https traffic only.

Thanks in advance both of you !

Linas

praprama · ‎08-19-2010

Hey Linas,

Basically your configuration will go somethng like this:

access-list HTTPS permit tcp any any eq 443

class-map HTTPS

match access-list HTTPS

policy-map global_policy

class HTTPS

set connection timeout tcp hh:mm:ss

The value you specify in hh:mm:ss will depend on the duration you want. if you set it to 0, then the connection never times out.

regards,

Prapanch

Mohit Chauhan · ‎07-21-2013

Hi Linas,

Did the above suggestion from Prapanch did finally work for you??

I am having the similar issue and need to confirm that.....i am also concerned will this change affect other https based applications?? also could not find the default connection timeout value for https:

the firewall does show default for tcp as 1 hour and i was expecting that https would be part of it.....

if you can come back to me fairly soon that would be highly appreciated as i need to get this resolved ASAP.

thanks in advance!

Regards,

mohit

cory.zaner · ‎10-14-2013

Did this help? I am also seeing similar issues on my windows phone.