Hi,
I havent had to modify timeouts that often on an ASA but when I have had to change them its usually been applications TCP connections that for a reason or another dont have any builtin keepalive. Actually just ran into such a problem in a last couple of weeks.
When talking about UDP connections I guess most of the command UDP connections like DNS queries and replies will get removed from the firewall as soon as the firewall has seen the reply for the DNS query. To my understanding atleast.
I would imagine with random UDP connections setting the timeout to 90min instead of the global default of 2min might mean that there would be several UDP connections hanging on the firewall useless. I would also imagine that it would take a lot of connections to eventually reach the point where this might hurt your firewall performance. Mainly thinking about the maximum limit of connections on the ASA depending on the model. If the limit was reached, no new connections could be made even if the UDP connections were just idle and not in use.
I would imagine that also depending on the NAT configuration you might be left with a lot on active translations in the xlate table.
I think you should be able to perhaps configure this longer UDP timeout of 90min only apply to certain UDP connections if you specify the source/destination IP addresses/netorks and ports used and only apply this special timeout to those connections while leaving the rest to the global 2min timeout. This would be done using the Modular Policy Framework (if I remember the name correctly.)
In other words you would configure and ACL that defines the connections, attach it to a class map and attach that class map to the policy-map and there under the policy-map/class-map set the idle timeout value to that you want.
- Jouni
