Thanks for your speedy reply , it sounds true . Ive got to be careful enough to set the timout to unlimited for all flows but i dont have another way infact.coz the real issue seems that all my applications are oracle/sqlnet connections looses connection after the default set 60 min period.

However could you tell me what would be the impact if the conn count shows a lot of idle sessions ..ie if the global is set to never timeout

at present it shoes :

7649 in use, 37873 most used

Hello Kausar,

Sure, the resut will affect the performance of the ASAl, I mean remember that each ASA plataform has a limit of connection that the device can handle by minute. So if it gets oversubscrided you will start seeing packets drops, latency issues, high cpu, etc, etc.

Now, if the global is set to never time out that will means that the connections will never expire so the ASA will have them always on its connection table with will cause some issues.

I had worked with a customer and what he had or his issue was that sometimes the ASA will start dropping some of its tcp connections, and this happened randomly. Once I got access to the ASA first time I check was the global time-out, nothing there.

Then I went to the MPF configuration and there was the issue tcp timeout 0 0 witch cause the ASA to keep all the connections  on the ASA, they will never time out.

Please rate helpful posts,

Julio

Appreciate your references, what could be the best bet yet , because i cannot single out the Sql*net traffic and set the timeout to never. The reason beiong i cannot change the session behavior of the applications.

Do you think I should set the global to 'never' and create a broader service policy rule to set the default timeout(1hr) for an identified chunk of traffic from a known direction (eg ; from outside to all protected zones )

Yeah will try that , need to change the

Global_policy which presently is set to Class-map: inspection_default

Global policy:

  Service-policy: global_policy

    Class-map: inspection_default

      Inspect: dns maximum-length 512, packet 12057789, drop 404, reset-drop 0

      Inspect: ftp, packet 268865, drop 0, reset-drop 0

      Inspect: h323 h225, packet 96244, drop 0, reset-drop 0

      Inspect: h323 ras, packet 388, drop 388, reset-drop 0

      Inspect: netbios, packet 13248279, drop 0, reset-drop 0

      Inspect: rsh, packet 0, drop 0, reset-drop 0

      Inspect: skinny, packet 93279084, drop 0, reset-drop 0

      Inspect: sunrpc, packet 0, drop 0, reset-drop 0

      Inspect: tftp, packet 12369199, drop 0, reset-drop 0

      Inspect: sip, packet 0, drop 0, reset-drop 0

      Inspect: xdmcp, packet 0, drop 0, reset-drop 0

Hello Kausar,

Let me know as soon as you get the result.

Have a great day,

Julio

That seems to be it the database connectivity seems to be matching the global policy now , well I did not make it unlimited for the global_policy however limited it to 6hours.

I would like to know whether you have a standarad list of connections categorised as secondary flows

Thanks a lot for your help .you have a great day

Hello Kausar,

Great to hear that now that you have changed is working as you want it.

I will do some research and will keep you posted.

Julio

I'm having this same issue with Oracle connection. The error code is ORA-12571 TNS Write Failure. When I connect for the first time it times out. When I reconnect to Oracle about three times then the connection is established. I have asked by our DB admin to check the firewall configurations for session timeouts for Oracle listen port 1526 which seems to be timing out. Any help will be appreciated. Thanks in advance.