Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Connections don't timeout

Status
Not open for further replies.
NicolaiG

NicolaiG

ISP
Joined
Jun 13, 2003
Messages
2
Location
DK
Hi

I'm faily new to the Cisco Pix, and i'm wondering about something.

How come i have several connections that a way beyond their timeout? The same seems to happen to xlate's, which has alot more entries than what can happen in the setup. There is 3-4 clients sitting behind a PIX501, with a tunnel to their main-office. "sh xlate count" is around 4000-5000 entries, and that amount seems very high, with a xlate-timeout set to 5 mins.

I've looked at several others running the same setup, and they show "normal" behaviour.

Any suggestions?


fw-billund# sh ver

Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 1.1(2)

fw# sh timeout
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

fw# sh conn
68 in use, 222 most used
TCP out 10.61.82.210:1494 in 192.168.1.103:1046 idle 194:25:31 Bytes 508266 flags UIO
TCP out 10.61.82.210:1494 in 192.168.1.142:2227 idle 264:18:02 Bytes 60503 flags UIO
TCP out 10.61.82.210:1494 in 192.168.1.104:1439 idle 260:59:46 Bytes 21770 flags UIO
UDP out 193.162.195.194:53 in 192.168.1.142:47 idle 1:11:51 flags D

UDP out 207.46.248.43:123 in 192.168.1.104:123 idle 5:41:22 flags -

TCP out 10.61.82.210:1494 in 192.168.1.103:1038 idle 411:56:43 Bytes 331800 flags UIO
TCP out 10.61.82.210:1494 in 192.168.1.104:1107 idle 0:00:38 Bytes 470347 flags UIO
TCP out 10.61.82.210:1494 in 192.168.1.104:1050 idle 243:38:17 Bytes 82131 flags UIO
 
Sort by date Sort by votes
HI.

The default xlate timeout is 3 hours.
If applicable, try to set it to 3:00:00, reload the pix, and test the results...

You can also install a syslog server, and start logging at level 6, then look at the logs to see what is going on.

Bye


Yizhar Hurwitz
 
Upvote 0 Downvote
I'm more interested in how a connection can be active for several hours, when the connection timeout is 1 hour. That dosn't seem very logic to me.

Anyone who can explain this?

fw# sh timeout
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

fw# sh conn
TCP out 10.61.82.210:1494 in 192.168.1.103:1046 idle 194:25:31 Bytes 508266 flags UIO
TCP out 10.61.82.210:1494 in 192.168.1.142:2227 idle 264:18:02 Bytes 60503 flags UIO
TCP out 10.61.82.210:1494 in 192.168.1.104:1439 idle 260:59:46 Bytes 21770 flags UIO
UDP out 193.162.195.194:53 in 192.168.1.142:47 idle 1:11:51 flags D
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

steve56k
  • Locked
  • Question Question
Number of connections for VPN tunnel
Replies
0
Views
221
steve56k
steve56k
RodneyMcSnow
  • Locked
  • Question Question
Windows 8.1 PRO has to open connections when NETSTAT is used.
Replies
0
Views
258
RodneyMcSnow
RodneyMcSnow
rjwaunakee
  • Locked
  • Question Question
Allow Connections with Domain Names
Replies
0
Views
226
rjwaunakee
rjwaunakee
kzn
  • Locked
  • Question Question
Error communicating with Firebox 10.0.0.1. IO_ERROR: Message processing timeout. Please try again
Replies
2
Views
412
kzn
kzn
RonSwift
  • Locked
  • Question Question
Block all telnet connections
Replies
4
Views
468
RonSwift
RonSwift

Part and Inventory Search

Sponsor

Back
Top