Solved: Cisco ASA kills idle sessions

Gerorymo · ‎07-11-2019

Hi everyone,

I just got in a strange situation here. I've got an ASA 5516-x with Software Version 9.9(2)36.

We have some services which are connecting from DMZ site to LAN site via 1521 (sqlnet) to an oracle database. Sometimes when there is no traffic session is just being disconnected, however when you roll in the same service in LAN segment only it stays connected.

My question is, does ASA have some policy to disconnect idle sessions and clear the session table and if yes, is there a possibility to tweak that for the longer time or exclude this specific traffic at all?

Thank you in advance!

Rahul Govindan · ‎07-11-2019

Yes, the ASA has connection idle timeouts for different protocols. You can change this as well:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/firewall/asa-99-firewall-config/conns-connlimits.html

Default timeout for TCP is 1 hour.

View solution in original post

Rahul Govindan · ‎07-11-2019

Yes, the ASA has connection idle timeouts for different protocols. You can change this as well:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/firewall/asa-99-firewall-config/conns-connlimits.html

Default timeout for TCP is 1 hour.

Gerorymo · ‎07-13-2019

Hello, Rahul.

Really appreciate the help. I created a class map, which applied to policy map and applied to LAN interface with unlimited conn and unlimited half-close for sqlnet traffic for ingress traffic for that specific service. Seems working like a charm.

Regards,

Olim