RE: Off TOpic: Problems with PIX closing scoket on a static NAT

From: Scott Morris (swm@emanon.com)
Date: Fri Aug 22 2003 - 14:31:58 GMT-3

• Next message: gtreptow@NACR.com: "(no subject)"
• Previous message: Brian Dennis: "RE: Ping and reflexive access lists"
• Maybe in reply to: Anthony Pace: "Off TOpic: Problems with PIX closing scoket on a static NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The default timers (at least for 6.3 PIX OS) are:

Xlate = 24 hours
Connection = 1 hour
Half-closed connection = 10 minutes

You can always do a 'show timeout' on your pix to see the configured
values. Remember these times are all from inactivity.

If you're pondering changing things due to an application, I agree,
think about not doing it! Is there any chance of modifying the
application to put some keepalive in there, or something that will
generate activity across the link as long as it needs to stay up.

If you start tweaking things too much, you may run into other issues
depending on the architecture of your network! You want to strike a
balance between security, being nice to users/applications, and keeping
your own sanity!

Scott

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ccie2002@tampabay.rr.com
Sent: Friday, August 22, 2003 1:25 PM
To: Anthony Pace
Cc: ccielab@groupstudy.com
Subject: Re: Off TOpic: Problems with PIX closing scoket on a static NAT

Yes a PIX will close an inactive xlate. By default I think this is at 3
hrs. But more than likey it is the connection timeout that is doing
this. It is by default 1 hr and 30 minutes for half closed sessions. I
would not change this because an app doesn't work. I would ask the app
folks if they could configure it to send a periodic keepalive.

Other ramifications could lead you succeptible to an attack on open
sessions.

----- Original Message -----
From: Anthony Pace <anthonypace@fastmail.fm>
Date: Friday, August 22, 2003 12:55 pm
Subject: Off TOpic: Problems with PIX closing scoket on a static NAT

> Has anyone had problems with the PIX closing a tcp socket on a
> static nat
> due to inactivity/timeout? I am dealing with an application which may
> legitimatly leave the socket open for hours, and if it hides
> behind the
> PIX, there are problems with the first connetion when the session has
> been idle for several hours.
>
> I am thinking about increasing the global timeout for NAT, but I don't

> know if it will have other ramifications.
>
>
> Tony Pace CCIE #10349
>
> > Anthony Pace
> anthonypace@fastmail.fm
> >
> > --
> > http://www.fastmail.fm - Access your email from home and the web
> --
> Anthony Pace
> anthonypace@fastmail.fm
>
> --
> http://www.fastmail.fm - I mean, what is it about a decent email
> service?
>
> ______________________________________________________________________
> _
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: gtreptow@NACR.com: "(no subject)"
• Previous message: Brian Dennis: "RE: Ping and reflexive access lists"
• Maybe in reply to: Anthony Pace: "Off TOpic: Problems with PIX closing scoket on a static NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:54:05 GMT-3