Re: Pix 8.0(4) can I set a timeout for an individual tcp service

joerggrau · ‎11-12-2009

I am running into an issue where one of the tcp services going through my PIX running 8.0(4) sends packets AFTER the specific connection has timed out. The result is that it reports an error on a packet for a non existing connection. Is there a way for me to increase the timeout for this one specific tcp service? I know this can be done in Checkpoint Firewalls, and I am looking for an equivalent mechanism in the PIX.

Any help is appreciated.

thanks

Joerg

Panos Kampanakis · ‎11-12-2009

Hi Joerg,

Yes it can be done. You can use MPF to do it. Here is an example

hostname(config)# class-map http_traffic

hostname(config-cmap)# match port tcp eq 80

hostname(config)# policy-map outside_policy

hostname(config-pmap)# class http_traffic

hostname(config-pmap-c)# set connection timeout tcp 0:10:0

service-policy outside_policy interface outside

Also explained here http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mpc.html#wp1082979

I hope it helps.

PK

mkharban · ‎11-12-2009

Hi,

Please try the dead-connection-detection option that is newly introduced in 8.0(4) code.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1396112

Hope this helps!

Thanks,

Manish

Cisco TAC

Pix 8.0(4) can I set a timeout for an individual tcp service?