Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4553
Views
5
Helpful
7
Replies

timeout ICMP issue - connection table exaust

Go to solution
optix-137
Level 1
Level 1

‎11-25-2015 05:09 PM - edited ‎03-11-2019 11:57 PM

Hi, 

I'm trying to figure out why does my ASA have a ICMP timeout of 1 hour instead of default 2 seconds as stated in the documentation and cli. 

fw-asa(config)# timeout icmp ?

configure mode commands/options:
<0:0:2> - <1193:0:0> Idle timeout for icmp, default is 0:00:02

Looking at the connections.. 

fw-asa# sh conn detail

ICMP Outside: 10.2.1.12/0 Inside: 10.10.10.15/17460,
, flags , idle 5s, uptime 5s, timeout 1h0m, bytes 56

...

Setting the timeout to any other value does not have any effect on this, and the timeout remains 1h.

This is creating quite a problem for me because I have an ICMP monitoring host in the network that is generating large amount of ICMP packets, and is filling up the connection table quite badly. 

Am I missing something painfully obvious here?

Hadware is: ASA 5510 with Security Plus license

Software is: asa915-21-k8.bin

inspect icmp is disabled because of the asymmetric routing in the network.. 

Thank you!

optix

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee
In response to optix-137

‎11-28-2015 07:53 AM

Hi Optix,

You have explicitly configured the 'idle' timeout to 1 hour. 'show run timeout' value shows the default timeout values.

please find the description below of the 'set connection timeout idle' command. It sets all the protocol's idle timeout to 1 hour :

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html#pgfId-1453113

Remove the same if do not wish to configure the same.

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate the helpful posts.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Rishabh Seth
Level 7
Level 7

‎11-25-2015 09:11 PM

Hi,

Check output of show run | in timeout

In the output check the timeout of ICMP. If the timeout is set to 60 minutes then you can change it to 2 second. 

Having such high timeout for ICMP can end up in exhaustion of session table.

Thanks,

RS

0 Helpful

Go to solution
optix-137
Level 1
Level 1
In response to Rishabh Seth

‎11-26-2015 12:04 AM

Hi, 

There is currently no timeout icmp set, so it should default to 2 seconds. Either way, even if I set this to any value, timeout seen in the output of sh conn detail command remains 1h, and the connection table builds up.

0 Helpful

Go to solution
Rishabh Seth
Level 7
Level 7
In response to optix-137

‎11-27-2015 09:11 PM

Hi,

Can you share output of:

show run | i timeout

Thanks,

RS

0 Helpful

Go to solution
optix-137
Level 1
Level 1
In response to Rishabh Seth

‎11-28-2015 02:56 AM

Hi, 

fw-asa# sh run | i timeout
arp timeout 14400
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
telnet timeout 5
ssh timeout 60
console timeout 0
vpn-idle-timeout 4320
anyconnect ask enable default anyconnect timeout 20
set connection timeout idle 1:00:00 reset
set connection timeout idle 1:00:00 reset
fw-asa#

Thanks,

optix

0 Helpful

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee
In response to optix-137

‎11-28-2015 07:53 AM

Hi Optix,

You have explicitly configured the 'idle' timeout to 1 hour. 'show run timeout' value shows the default timeout values.

please find the description below of the 'set connection timeout idle' command. It sets all the protocol's idle timeout to 1 hour :

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html#pgfId-1453113

Remove the same if do not wish to configure the same.

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate the helpful posts.

0 Helpful

Go to solution
optix-137
Level 1
Level 1
In response to Akshay Rastogi

‎11-28-2015 01:44 PM

Hi Akshay & Rishabh

Thank you for your replies.


I had an class-default map configured to decrement ttl and disable tcp state check.

Also, I configured (from ASDM) tcp reset before idle and that caused a line 'set connection timeout idle 1:00:00 reset', I didn't have an intention to change the timeout values.

I believed that this section of options was only related to tcp - as the window in ASDM clearly says "TCP timeout".

Had no idea that this actually sets the timeout for all types of connections...


I think that it would be an understatement to say that this is a bit misleading.. :-)


Anyway.. lesson learned.


Thanks again!


Best regards.

0 Helpful

Go to solution
Rishabh Seth
Level 7
Level 7
In response to optix-137

‎11-28-2015 12:18 PM

Hi Optix,

Verify your policy map which is configured to alter idle timeout to 1 hour.

In case your classmap is configured to match all the traffic and you want to avoid ICMP traffic then you can add a deny statement for icmp.

Thanks

RS

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card