From: Scott Morris (swm@emanon.com)
Date: Fri Aug 22 2003 - 14:55:49 GMT-3
Hmmm.. You're correct (per the docs), but my the last one I did came
out of the box at 24 hours. I just checked a few others and they're 3
hours. Go figure. *shrug*
:)
-----Original Message-----
From: ccie2002@tampabay.rr.com [mailto:ccie2002@tampabay.rr.com]
Sent: Friday, August 22, 2003 1:39 PM
To: swm@emanon.com
Cc: 'Anthony Pace'; ccielab@groupstudy.com
Subject: Re: RE: Off TOpic: Problems with PIX closing scoket on a static
NAT
Scott you are right on the half-closed. Here is straight from the doc on
xlate though. I just looked it up.
Idle time until a translation slot is freed. This duration must be at
least 1 minute. The default is 3 hours.
----- Original Message -----
From: Scott Morris <swm@emanon.com>
Date: Friday, August 22, 2003 1:31 pm
Subject: RE: Off TOpic: Problems with PIX closing scoket on a static NAT
> The default timers (at least for 6.3 PIX OS) are:
>
> Xlate = 24 hours
> Connection = 1 hour
> Half-closed connection = 10 minutes
>
> You can always do a 'show timeout' on your pix to see the configured
> values. Remember these times are all from inactivity.
>
> If you're pondering changing things due to an application, I agree,
> think about not doing it! Is there any chance of modifying the
> application to put some keepalive in there, or something that will
> generate activity across the link as long as it needs to stay up.
>
> If you start tweaking things too much, you may run into other issues
> depending on the architecture of your network! You want to strike a
> balance between security, being nice to users/applications, and
> keepingyour own sanity!
>
> Scott
>
> -----Original Message-----
> From: nobody@groupstudy.com [nobody@groupstudy.com] On Behalf Of
> ccie2002@tampabay.rr.com
> Sent: Friday, August 22, 2003 1:25 PM
> To: Anthony Pace
> Cc: ccielab@groupstudy.com
> Subject: Re: Off TOpic: Problems with PIX closing scoket on a
> static NAT
>
>
> Yes a PIX will close an inactive xlate. By default I think this is
> at 3
> hrs. But more than likey it is the connection timeout that is doing
> this. It is by default 1 hr and 30 minutes for half closed
> sessions. I
> would not change this because an app doesn't work. I would ask the app
> folks if they could configure it to send a periodic keepalive.
>
> Other ramifications could lead you succeptible to an attack on open
> sessions.
>
> ----- Original Message -----
> From: Anthony Pace <anthonypace@fastmail.fm>
> Date: Friday, August 22, 2003 12:55 pm
> Subject: Off TOpic: Problems with PIX closing scoket on a static NAT
>
> > Has anyone had problems with the PIX closing a tcp socket on a
> > static nat due to inactivity/timeout? I am dealing with an
> > application
> which may
> > legitimatly leave the socket open for hours, and if it hides
> > behind the
> > PIX, there are problems with the first connetion when the
> session has
> > been idle for several hours.
> >
> > I am thinking about increasing the global timeout for NAT, but I
> don't
> > know if it will have other ramifications.
> >
> >
> > Tony Pace CCIE #10349
> >
> > > Anthony Pace
> > anthonypace@fastmail.fm
> > >
> > > --
> > > http://www.fastmail.fm - Access your email from home and the web
> > --
> > Anthony Pace
> > anthonypace@fastmail.fm
> >
> > --
> > http://www.fastmail.fm - I mean, what is it about a decent email
> > service?
> >
> >
> ______________________________________________________________________
> > _
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> ______________________________________________________________________
> _
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:54:05 GMT-3