Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1687
Views
0
Helpful
5
Replies

PIX timeout conn recommendations

Go to solution
aemr
Level 2
Level 2

‎12-09-2003 11:36 AM - edited ‎02-20-2020 11:08 PM

Hi,

What are the possible performance problems and security issues with increasing the timeout values (conn especially)?

Are there any recommendations as to the max values? I cannot find anything other than syntax on the web site.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
scoclayton
Level 11
Level 11
In response to aemr

‎12-09-2003 01:04 PM

Art,

Not a problem. I am not exactly sure what you mean by the question. The conn timer is the time that the PIX will allow the connection to sit idle before tearing it down. If we see traffic flow across this connection, the timer resets to 0. If we reach the configured time and the timer has not been reset, the connection gets torn down. Does this answer your question at all?

Scott

View solution in original post

0 Helpful
5 Replies 5

Go to solution
scoclayton
Level 11
Level 11

‎12-09-2003 12:04 PM

Hi,

The defualt values are the recommended values under normal circumstances but we do realize that there are some situations where these values will not work. From a Security standpoint and performance standpoint, you probably will not see any change when bumping the conn timeout upa bit. The only real difference is that the PIX will wait longer before tearing down connections that have gone idle. You *could* see more conns stored which will eat more memory but in most cases, this will probably be negligable. Most PIX installations have very few conns that time out due to the idle timer being reached unless there is some application that passes across the PIX that is left open and un-used for long periods of time. Hope this helps.

Scott

0 Helpful

Go to solution
aemr
Level 2
Level 2
In response to scoclayton

‎12-09-2003 12:47 PM

Thank you Scott,

Last Q...

What is the relationship between the connection and idle timeouts?

Thanks again,

Art

0 Helpful

Go to solution
scoclayton
Level 11
Level 11
In response to aemr

‎12-09-2003 01:04 PM

Art,

Not a problem. I am not exactly sure what you mean by the question. The conn timer is the time that the PIX will allow the connection to sit idle before tearing it down. If we see traffic flow across this connection, the timer resets to 0. If we reach the configured time and the timer has not been reset, the connection gets torn down. Does this answer your question at all?

Scott

0 Helpful

Go to solution
aemr
Level 2
Level 2
In response to scoclayton

‎12-09-2003 01:41 PM

Yes that does Scott. Sorry about the poor wording. I appreciate the help.

Art

0 Helpful

Go to solution
dlac455
Level 3
Level 3

‎12-09-2003 01:35 PM

We bumped our xlate value up to 6 hours. Then I dump the xlate table every 6 hours using a TCL/expect script. Then I correlate my DHCP logs with the xlate entries. Purpose being to track a user down by the global IP address they were surfing with. Anybody have any comments about the accuracy of doing this? The concept to use this info for enforcement purposes.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card