Any pitfalls to increasing TCP and UDP timeout connections?

lchance · ‎06-27-2011

We are seeing some TCP and UDP applications have problems with connections and I suspect the fix could be by using this parameter:

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

The head-end device is an ASA but remotes are either PIX or smaller ASA and all remotes typically have default configs for this TIMEOUT CONN . . .

What could I expect those pitfalls to be if both TCP and UDP were increased to perhaps 10:00:00 (ten hours)?

such as

timeout conn 10:00:00 half-closed 0:10:00 udp 10:00:00 rpc 0:10:00 h225 1:00:00

Nicolas Fournier · ‎06-28-2011

Hi,

The main issue that could occurs would be to have the connection table getting full.

If you set the conn timeout to 10 hours, TCP idle connections will stay in the conn table for this time unless the firewalls sees the connection closure.

UDP ones will stay for 10 hours whatever happens.

If a lot of the TCP connections getting through the firewall are left idle and are not closed and/or if you have a lot of UDP connections, you might deplete the memory of your firewall and it might stop accepting new connections because of this.

Regards,

Nicolas