cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2289
Views
0
Helpful
5
Replies
Highlighted
Beginner

Connection timeout ASA5520

Hello,

I configured multiple vlan on my Cisco ASA5520. Everything work perfectly except RDP (3389) connections.

The connections are established but but after a period of inactivity, the user is disconnected from server (black screen).

The same problem happens with other type of connections (client/server), exemple : Oracle, file sharing..

Before installing the ASA, computers and servers were in the same vlan and it worked well.

There's a notion of inter vlan timeout connection ?

Thanks for help.

5 REPLIES 5
Highlighted
Rising star

Connection timeout ASA5520

Highlighted
Beginner

Connection timeout ASA5520

Hello,

I applied this command :

timeout conn 10:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

No disconnection between machines on the same vlan, but it still the case for machines on different vlan.

Does thie has relation with MTU size ?

Thanks.

Highlighted
Beginner

Connection timeout ASA5520

Hi-

How long before your RDP sessions time out? The 'timeout conn 0' command should be issued if you wish TCP connections to 'never' timeout. Keep in mind as well, that your machines that 'aren't' timing out, that are on the same VLAN 'do not' hit the firewall because it's a Layer-2 broadcast between hosts on that segment. Crossing VLANs that are owned (or routed) by ASA will be Layer-3 traffic causing the packets to traverse the firewall. Let me know how it goes. Thanks.

Highlighted
Cisco Employee

Connection timeout ASA5520

Not a good practice to leave the connections idle on the firewall for a long period of time (more than the default). Check on the logs and see what is the reason of the teardown of the connecition. Also, you can setup DCD (Dead connection detection) between the host and if the connection is still up the ASA wont torn it down.

Mike

Mike
Highlighted
Beginner

Connection timeout ASA5520

I agree it's not good practice, or the 'timeout conn' can be increased. I suspect the issue here is an 'idle' connection.