RE: FWSM Global Service Policy change tcp connection timeout

From: Lee Reade (lee.reade@binternet.com)
Date: Tue Jul 01 2008 - 16:49:24 ART

• Next message: ccie: "Is there any search engine or link that could give me the"
• Previous message: Andy Cole: "RE: does anyone fail???"
• Maybe in reply to: Luan Nguyen: "RE: FWSM Global Service Policy change tcp connection timeout"
• Next in thread: Luan Nguyen: "RE: FWSM Global Service Policy change tcp connection timeout"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

Thanks for the reply, however;

This is the default policy;

class-map inspection_default

 match default-inspection-traffic

policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect smtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

service-policy global_policy global

The default tcp connection idle timeout applies to this policy-map, so if I
want to have a specific flow with idle timeout 0, then would I just create a
new class-map, match the flow with acl, and specify the connection settings?

I think I would also need to remove the default class, add the new one in,
then add the default back in again, so that the new one is hit first.

Access-list 101 per tcp host x.x.x.x host y.y.y.y eq z

Class-map class1

Match access-gr 101

policy-map global_policy

no class inspection_default

class-map class1

set connection timeout 0
class inspection_default
 
What do think?
 
I am not able to test this out, and will have a tight window when I go to
make the change, hence the reason im trying to clarify!!
 
Thanks
 
LR

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Luan
Nguyen
Sent: 01 July 2008 20:13
To: 'Lee Reade'; ccielab@groupstudy.com
Subject: RE: FWSM Global Service Policy change tcp connection timeout for 1
specific flow

I've never seen you have to use class default for the ASA or anything that

run PIXOS.

For example, if I want to allow BGP MD5 authentication for 2 peers, then I

would just create an ACL permit tcp host host eq bgp, match it and allow tcp

option 19 and disable the random-sequence-number. I don't need to do

anything else for the rest of the the bgp peer that pass through the ASA and

not using MD5 authentication.

You are going to apply the service-policy as global, you don't need to do

anything else.

-Luan

-----Original Message-----

From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Lee

Reade

Sent: Tuesday, July 01, 2008 2:35 PM

To: ccielab@groupstudy.com

Subject: FWSM Global Service Policy change tcp connection timeout for 1

specific flow

Hi,

I have an issue with an old database server that creates tcp connections via

a FWSM, and expects these sessions to never idle out, since the FWSM has a

default timeout of 60 mins for tcp we are having some issues with

connectivity. I want to config a class-map to match this specifc flow and

set the tcp connection timeout to 0.

Can anyone advise how to ensure that the other traffic will use the FWSM

default settings? Would I just config the class-default and set the

connections in there? Or will they automatically pick them up?

I will be applying this service-policy as global and not to a specific

interface.

I've checked on CCO but the config guide doesn't mention this, and I just

need some clarification.

Thanks very much,

LR

• Next message: ccie: "Is there any search engine or link that could give me the"
• Previous message: Andy Cole: "RE: does anyone fail???"
• Maybe in reply to: Luan Nguyen: "RE: FWSM Global Service Policy change tcp connection timeout"
• Next in thread: Luan Nguyen: "RE: FWSM Global Service Policy change tcp connection timeout"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:52 ART