cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1834
Views
0
Helpful
2
Replies

Cut-through Proxy uauth timeout question

jimsiff
Level 1
Level 1

We currently use a cut-through proxy-like feature on Juniper SSG firewalls for our guest wireless network that allows a seven day (168 hour) timeoout, which matches the DHCP lease time.  This extended time is not a problem with the SSG since it maintains an auth table completely separate from the NAT/xlate table. 

I'm trying to implement the same function on an ASA 5520 failover pair, however I'm very reluctant to set 'timeout uauth 168:0:0 absolute' because I would be required to set 'timeout xlate 168:0:0' as well.  I'm concerned that setting the xlate timeout that high would invite xlate table overruns and intermittent DOS through the firewall.

Is there any way to set the cut-through uauth timeout higher (or use a similar authentication function) without increasing the system-wide xlate timeout to match?  If not, are my concerns about setting the xlate timeout so high valid?  The ASAs are pretty highly utilized overall.

Thanks,


Jim

2 Replies 2

Maykol Rojas
Cisco Employee
Cisco Employee

Hello Jim,

Correct me if I am wrong, but you can change only the timeout for the uauth without having actually to change the xlate timeout. This would make the firewall to maintain the uauth table for the amount of time you configure... the only thing that is not going to happen is that when your users go out to the internet they wont be prompted for username and password...

Hope this makes sense.

Mike

Mike

Hi Mike,

I wish that were the case.  When I try to set uauth timeout to 168 hours, I get an error because my xlate timeout is set much lower.  It appears to me that the uauth timout is directly linked to the xlate timeout.  I'm looking for a way to handle user authentication without setting the system-wide xauth timeout so high.

fw-bv-1(config)# timeout uauth 168:0:0 absolute
uauth timeout 168:00:00 cannot be greater than the xlate timeout 0:30:00
Usage: timeout [xlate|conn|udp|icmp|sunrpc|h323|mgcp|sip|sip_media|uauth [...]]

fw-bv-1# sri ^timeout
timeout xlate 0:30:00
timeout conn 0:30:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00

Thanks,

Jim

Review Cisco Networking for a $25 gift card