Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1804
Views
0
Helpful
2
Replies

How to configure Traffic flow idle time-out with CSM

Go to solution
MurielleBRAZIER
Level 1
Level 1

‎02-17-2012 07:09 AM - edited ‎03-11-2019 03:31 PM

Hi,

I am looking for the way to define an idle timeout for specific flows on an ASA5580 by using Cisco security manager.

For ex I needed to define a specific idle timeout for connections beetween specific devices (Devices in vlan1, Device2 in vlan2).
To test it I did following changes by CLI and it works fine.
    access-list L1 extended permit ip <@IP1> <mask1> host <@IP2>
    class-map CM1
        match access-list L1
    policy-map PM1
        class CM1
        set connection timeout idle 02:00:00

I try do do the same configuration with CSM in order to be able to manage each changes only by using CSM.
So I defined  Access control list, Traffic flow and then I define timeout in
CSM --> PIX/ASA/FWSM Platform --> Service Policy Rules  --> IPS, QoS and Connections Rules -> connections settings -> Traffic flow idle time-out.

The problem is that each time I deploy the configuration with CSM I loose the timeout config line which is the most important for my application...

Can you help me?

Thanks, Murielle

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mirober2
Cisco Employee
Cisco Employee

‎02-20-2012 11:31 AM

Hi Murielle,

What version of ASA and CSM software are you running?

In 8.2(1) and lower, the ASA command was 'set connection timeout tcp'. In 8.2(2) and higher, the command syntax changed to 'set connection timeout idle'.

Depending on your CSM version, it may be trying to push the wrong version of the command and the ASA will reject it. You could push the correct syntax for the change in a Flex Config until your CSM server is upgraded to support the ASA version.

-Mike

View solution in original post

0 Helpful
2 Replies 2

Go to solution
mirober2
Cisco Employee
Cisco Employee

‎02-20-2012 11:31 AM

Hi Murielle,

What version of ASA and CSM software are you running?

In 8.2(1) and lower, the ASA command was 'set connection timeout tcp'. In 8.2(2) and higher, the command syntax changed to 'set connection timeout idle'.

Depending on your CSM version, it may be trying to push the wrong version of the command and the ASA will reject it. You could push the correct syntax for the change in a Flex Config until your CSM server is upgraded to support the ASA version.

-Mike

0 Helpful

Go to solution
MurielleBRAZIER
Level 1
Level 1
In response to mirober2

‎02-24-2012 12:07 AM

Hi Mirober2

I'm using the following versions :

ASA5580 OS 8.3(2)

CSM 4.0.1

I will check how to use flex config...

Thanks for your answer

Murielle

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card