cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2168
Views
10
Helpful
3
Replies

TCP Idle Timeout

DEENA VERAPPAN
Level 1
Level 1

Hi All,

Hoping to get some help, and possible advice.

We have a ASA5585, running on our corporate network. As is the case with many organizations, we have a growing number of staff working from home. We have been experiencing dropout connections to our Oracle database for users logged in through VPN. I have analyzed some packet captures between the client and the server, and have not seen any disconnects, (FIN) from the client or the server. VPN group policies have been set to 4hours idle timeout. Is the way to check the TCP connection timeout on the ASA, and what is the default idle TCP connection timeout.

 

thanks for your help and advice.

 

Cheers

3 Replies 3

Default setting are below in ASA config. however you can change them according to your need.

 

timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
please do not forget to rate.

thank you for the information that is very helpful.

Can I use DCD to keep the 1hr default idle time for Oracle connections?

 

check this link might this help you

https://community.cisco.com/t5/security-documents/asa-dead-connection-detection-dcd/ta-p/3154051

 

the other way  around is create a custom rule. below is the example change it according to your needs

access-list oracle-hosts permit tcp host 172.26.x.x host 172.25.x.x (or make the access-list specific for a certain protocol)

class-map oracle-hosts
match access-list oracle-hosts
exit

policy-map global_policy
class oracle-hosts
set connection timeout tcp 0:0:0 reset (setting no timeout for the specific access-list, DCD will determine with probes if the session needs to be torn down)

 

please do not forget to rate.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: