cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1804
Views
0
Helpful
2
Replies

How to configure Traffic flow idle time-out with CSM

MurielleBRAZIER
Level 1
Level 1

Hi,

I am looking for the way to define an idle timeout for specific flows on an ASA5580 by using Cisco security manager.

For ex I needed to define a specific idle timeout for connections beetween specific devices (Devices in vlan1, Device2 in vlan2).
To test it I did following changes by CLI and it works fine.
    access-list L1 extended permit ip <@IP1> <mask1> host <@IP2>
    class-map CM1
        match access-list L1
    policy-map PM1
        class CM1
        set connection timeout idle 02:00:00

I try do do the same configuration with CSM in order to be able to manage each changes only by using CSM.
So I defined  Access control list, Traffic flow and then I define timeout in
CSM --> PIX/ASA/FWSM Platform --> Service Policy Rules  --> IPS, QoS and Connections Rules -> connections settings -> Traffic flow idle time-out.

The problem is that each time I deploy the configuration with CSM I loose the timeout config line which is the most important for my application...

Can you help me?

Thanks, Murielle

1 Accepted Solution

Accepted Solutions

mirober2
Cisco Employee
Cisco Employee

Hi Murielle,

What version of ASA and CSM software are you running?

In 8.2(1) and lower, the ASA command was 'set connection timeout tcp'. In 8.2(2) and higher, the command syntax changed to 'set connection timeout idle'.

Depending on your CSM version, it may be trying to push the wrong version of the command and the ASA will reject it. You could push the correct syntax for the change in a Flex Config until your CSM server is upgraded to support the ASA version.

-Mike

View solution in original post

2 Replies 2

mirober2
Cisco Employee
Cisco Employee

Hi Murielle,

What version of ASA and CSM software are you running?

In 8.2(1) and lower, the ASA command was 'set connection timeout tcp'. In 8.2(2) and higher, the command syntax changed to 'set connection timeout idle'.

Depending on your CSM version, it may be trying to push the wrong version of the command and the ASA will reject it. You could push the correct syntax for the change in a Flex Config until your CSM server is upgraded to support the ASA version.

-Mike

Hi Mirober2

I'm using the following versions :

ASA5580 OS 8.3(2)

CSM 4.0.1

I will check how to use flex config...

Thanks for your answer

Murielle

Review Cisco Networking for a $25 gift card