What is the default timeout value for PIX to terminate an idle TCP connecti

astanislaus · ‎03-27-2006

What is the default timeout value for PIX to terminate an idle TCP connection - Is it 15 minutes. I vaguely recall it is 15 minutes.

pkhatri · ‎03-27-2006

I believe the TCP connection slot is freed up 60 seconds after the TCP connection is closed.

Hope that helps - pls rate the post if it does.

Paresh

wsitu · ‎03-27-2006

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/tz.htm#wp1026093

Usage Guidelines

The timeout command sets the idle time for connection, translation UDP, RPC, and H.323 slots. If the slot has not been used for the idle time specified, the resource is returned to the free pool. TCP connection slots are freed approximately 60 seconds after a normal connection close sequence.

pixfirewall# sh timeout

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

astanislaus · ‎03-27-2006

The TCP connection is still active between a Server and Client but no traffic is being passed - what happens then. Does the PIX close the connection after a certain time interval of no traffic.

wsitu · ‎03-28-2006

i think in this case the pix is going to keep that connection up default to 1 hour. it will close that connection to free up memory.

remember: pix is a stateful firewall. it maintains a history of traffic passed through and keeps track of tcp sequences, SYN, SYN/ACK, ACK, and etc. it will recognize a FIN when the connection terminates gracefully and cloe a connection.

check out these commands:

show xlate

show conn detail

mloring · ‎03-28-2006

By default it's an hour, but issue a 'show timeout' command to see what your PIX is set to.