Feb 10, 2012

Disabling idle timeout for specific traffic

The ASA enforces a timeout for idle connections and the default value is one hour for TCP connections. It helps to save resources and avoid overloads, but it can also crash some applications. We can disable this feature at all, but it is not a good idea as it can impact the firewall performance. Thus the best thing to do when you are running some application which you expect to have idle connections for long time is disabling the idle control for that traffic only. We can do that with Advanced Connection Settings.

First of all we have to classify the traffic:

asa(config)# access-list ACL_NO_TIMEOUT extended permit ip any 192.0.2.0 255.255.255.0
asa(config)# class-map CM_NO_TIMEOUT
asa(config-cmap)# match access-list ACL_NO_TIMEOUT

Then set the policy (global or per interface) for the class and disable the timeout:

asa(config)# policy-map global_policy
asa(config-pmap)# class CM_NO_TIMEOUT
asa(config-pmap-c)# set connection timeout tcp 0

The new policy will be enforced for new connections, so you may want to clear the old ones. Now you should see no timeout for that traffic:

asa# show conn detail address 192.0.2.15
TCP outside: 192.0.2.15/23 inside:10.0.0.30/32864,
    flags UIOB, idle 45m24s, uptime 4h30m, timeout -, bytes 1019



asa(config)# end
asa# wr mem

2 comments:

  1. I want to implement similar for one of our remote locations where primary connection is MPLS and Ipsec VPN tunnel is backup. MPLS is up all the time so ipsec tunnel goes down. I want to keep VPN tunnel up all the time. How can I do that?

    ReplyDelete
    Replies
    1. Hello Jay

      These articles will help you to implement what you need:

      http://packetsneverlie.blogspot.com/2010/08/alta-disponibilidade-utilizando-asapix.html

      http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

      Once you have the static route for the IPsec link active, the tunnel will be established.

      Delete