Solved: Does anyone know how to increase udp timeouts to 1 hr on asa 5505

Chris Knipe · ‎03-06-2012

Hi,

I am troubleshooting an issue with our voip guys and they are telling me that the

Best way to resolve the problem is to increase UDP NAT timeout to 1 hr. I am not sure on how to do this to this config. Can someone tell me what should be changed to enable this? scrubbed config attached.

svaish · ‎03-07-2012

These are the default timeout values on the ASA

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

If you want to modify this globally then you can do this

ASA3(config)# timeout udp ?

configure mode commands/options:

0:0:0 | <0:1:0> - <1193:0:0> Idle time after which general UDP states will

be closed, default is 0:02:00

<0-0> Specify this value to never time out

If you want to modify the timeout values for the specific flow from a particular source to destination you can do this

To match specific traffic, you can match an access list:

hostname(config)# access list CONNS extended permit ip any 10.1.1.1 255.255.255.255

hostname(config)# class-map CONNS

hostname(config-cmap)# match access-list CONNS

hostname(config)# policy-map CONNS

hostname(config-pmap)# class CONNS

hostname(config-pmap-c)# set connection timeout UDP (here you can set the time)

Also refer to this link for clarification
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_connlimits.html#wp1080774

Sachin

View solution in original post

svaish · ‎03-07-2012

These are the default timeout values on the ASA

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

If you want to modify this globally then you can do this

ASA3(config)# timeout udp ?

configure mode commands/options:

0:0:0 | <0:1:0> - <1193:0:0> Idle time after which general UDP states will

be closed, default is 0:02:00

<0-0> Specify this value to never time out

If you want to modify the timeout values for the specific flow from a particular source to destination you can do this

To match specific traffic, you can match an access list:

hostname(config)# access list CONNS extended permit ip any 10.1.1.1 255.255.255.255

hostname(config)# class-map CONNS

hostname(config-cmap)# match access-list CONNS

hostname(config)# policy-map CONNS

hostname(config-pmap)# class CONNS

hostname(config-pmap-c)# set connection timeout UDP (here you can set the time)

Also refer to this link for clarification
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_connlimits.html#wp1080774

Sachin

Chris Knipe · ‎03-07-2012

Thanks Sashin. This is what I needed.

svaish · ‎03-07-2012

Good to know, please mark it as answerd if it is

Regards,

Sachin