Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
511
Views
5
Helpful
4
Replies

questions on pix timeout

Go to solution
zhichao
Level 1
Level 1

‎02-01-2005 11:56 PM - edited ‎02-20-2020 11:54 PM

Hi

Understand there are some timeout settings on pix. Need to check :

1. TCP timeout 1:00:00. I believe this is idle time out. Will PIX send out TCP reset after timeout?

2. Xlate timeout 3:00:00. Is this idle time out?

Will PIX send out TCP reset after timeout?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
scoclayton
Level 7
Level 7
In response to zhichao

‎02-02-2005 08:58 PM

Yes, based on the info in the original post, the PIX should remove any xlates that have been idle for 3 hours. Once these are removed, the xlates need would have to re-established in order for a connection to occur.

Does this help?

Scott

View solution in original post

0 Helpful
4 Replies 4

Go to solution
sachinraja
Level 9
Level 9

‎02-02-2005 02:50 AM

Hi zhichao,

the xlate timeout is used to free up an existing nat entry on the pix, incase there is no activity on that perticular tcp session for a long time. the translation slot is freed after this timeout value exceeds... this is used to kill idle sessions on the nat table of the pix...

the first part - > are u talking about half-closed timeout ?? if so, yes, it sends a tcp reset if the idle timer expires.. the tcp connection is freed after this timer expires...

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/tz.htm#wp1026093

see if the above URL helps u.

Raj

0 Helpful

Go to solution
scoclayton
Level 7
Level 7
In response to sachinraja

‎02-02-2005 08:41 PM

The PIX should never send a RST packet in response to anything unless 'service resetinbound' is configured. When the timeouts expire, the PIX will drop the packets until the connection is re-established properly. The idea of a firewall is to not be detectable on the network. Once it starts sourcing packets, it is no longer hidden.

Scott

Go to solution
zhichao
Level 1
Level 1
In response to scoclayton

‎02-02-2005 08:52 PM

Thanks! This is the info I need.

How about the question two? Is the NAT time out idle timeout?

0 Helpful

Go to solution
scoclayton
Level 7
Level 7
In response to zhichao

‎02-02-2005 08:58 PM

Yes, based on the info in the original post, the PIX should remove any xlates that have been idle for 3 hours. Once these are removed, the xlates need would have to re-established in order for a connection to occur.

Does this help?

Scott

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card