cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5783
Views
0
Helpful
8
Replies

What the function configure Connection timeout on ASA?

williammanurung
Level 1
Level 1

Hi guys,

I just want to know, what the exactly function command on below my ASA 5585-X:

timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00

What ASA will do after connection timeout?

Best regards,

William

8 Replies 8

Marvin Rhoads
Hall of Fame
Hall of Fame

After a timeout expires for a given xlate or connection, the ASA will either release the xlate or the drop the connection record from its internal tables and free up the memory and any other resources that it was using.

For xlates, that means any new traffic needing to be NATted will re-establish an xlate.

For connections, it means that the connection state will need to be re-established for any subsequent traffic. An active connection (or flow for stateless traffic like udp and icmp) means that the return traffic bypasses ACLs since it is know to be part of an existing allowed flow.

what the meaning of "timeout expires"?

Is there end to end close connection?

Can you give me another example?

"timeout expires" means that the idle time for a given connection has counted down to 0:00:00 and is not longer considered active by the firewall. Accordingly it remove the record of connection from its connection table.

Only the two endpoints of an existing connection can close the connection. The ASA does not intervene and send a TCP FIN or anything like that for an existing connection table record that has become idle and had its timeout expired.

What is your reason for asking?

I just want to know concept of timeout connection in my asa.

What you say before, "Accordingly it remove the record of connection from its connection table" , we focus to "connection table", how can i see the connection table in my asa? whats the command?

You can show the connection table with the command "show conn".

Just to add, when a connection is idle, the connection is removed from connection table after idle timeout expires as defined by 

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

and the xlate timer kicks in once the connection is removed. So, the xlate is still present even when the connection is removed.

timeout xlate 3:00:00
timeout pat-xlate 0:00:30

As an example, when a connection goes into idle state, the connection entry is removed after 1 hour(assuming above config) and post 1 hour, the xlate will be cleared after 30 seconds or 3 hour depending upon if its a nat or pat.

A link that talks more:

https://supportforums.cisco.com/document/88256/understanding-xlate-and-conn-idle-and-timeout-values-through-example

HTH
-AJ

So, the meaning of the idle connection is the end to end connect but no packet transfer?

What minimum packet have to transfer to be idle timer back to 00:00:00? 

So, the meaning of the idle connection is the end to end connect but no packet transfer?

yes

What minimum packet have to transfer to be idle timer back to 00:00:00? 

there is no minimum packet transfer. The logic is that if there is an attempt from either side to transfer any finite number of bytes, it will make the restart the idle timeout value.

HTH

-AJ

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: