Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2698
Views
10
Helpful
2
Replies

Cisco ASA kills idle sessions

Go to solution
Gerorymo
Level 1
Level 1

‎07-11-2019 02:26 AM

Hi everyone, 

 

I just got in a strange situation here. I've got an ASA 5516-x with Software Version 9.9(2)36. 

We have some services which are connecting from DMZ site to LAN site via 1521 (sqlnet) to an oracle database. Sometimes when there is no traffic session is just being disconnected, however when you roll in the same service in LAN segment only it stays connected. 

 

My question is, does ASA have some policy to disconnect idle sessions and clear the session table and if yes, is there a possibility to tweak that for the longer time or exclude this specific traffic at all? 

 

Thank you in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎07-11-2019 09:40 AM

Yes, the ASA has connection idle timeouts for different protocols. You can change this as well:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/firewall/asa-99-firewall-config/conns-connlimits.html

 

Default timeout for TCP is 1 hour.

View solution in original post

2 Replies 2

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎07-11-2019 09:40 AM

Yes, the ASA has connection idle timeouts for different protocols. You can change this as well:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/firewall/asa-99-firewall-config/conns-connlimits.html

 

Default timeout for TCP is 1 hour.

Go to solution
Gerorymo
Level 1
Level 1
In response to Rahul Govindan

‎07-13-2019 10:49 PM

Hello, Rahul.

Really appreciate the help. I created a class map, which applied to policy map and applied to LAN interface with unlimited conn and unlimited half-close for sqlnet traffic for ingress traffic for that specific service. Seems working like a charm.

 

Regards, 

Olim

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card