Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
761
Views
0
Helpful
1
Replies

TCP Conn Timeout - Adjusting

rsommer
Level 1
Level 1

‎12-11-2006 01:20 PM - edited ‎03-11-2019 02:07 AM

We have an application (client - database) that doesn't do well with the 1 hour connection idle timeout (TCP conn).

The setting is global and much has been made about adjusting that timeout. Very hesitant to extend it (they will not be happy until they could leave the app open forever...) to say a 4 hours. Reason: connection counts, DoS, etc.

However, our max conn count is not anywhere near the max of 280,000.

Has anybody else out there gone through this? Any "guidelines" or thoughts on adjusting the TCP timeout? (Note: not on ver 7 - so can't do the virtual FW thing yet.)

Thanks,

Rick

Labels:
0 Helpful
1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame

‎12-14-2006 07:39 AM

We went through the same thing. We have Oracle ERP apps here and some of the connections need much longer than an hour. In then end we put unlimted timeout on the backend database firewalls and a 3 hour timeout on the front-end firewalls (protecting the application mid-tiers).

I emphasise that these were internal firewalls and not internet facing otherwise i would not have considered it.

So far we are okay, we are nowhere near the max conns limit and the vast majority of connections are closed down normally anyway so we are not experiencing any resource issues - max conns, cpu etc.

I believe in v7.0 that you can apply per flow settings which would be much better in that you can tie down the timeouts to just the server to server connections needed.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card