Re: who does session disconnects
- From: "Scott Perry" <scottperry@aciscocompany>
- Date: Mon, 13 Aug 2007 08:58:58 -0400
Here is a sample of some of the timeout commands from a Cisco ASA firewall:
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
timeout xlate 0:05:00
timeout conn 0:50:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
Almost the same layout for PIX or ASA, accounting for differences in
platform and image version.
To go beyond this default set of commands for a connection timeout, a class
map can be configured for a certian type of network traffic. For example,
an access-list can be entered into the class map permitting any any traffic
destined for TCP port 22. That class map can then be used to configure a
specific timeout for that traffic class.
access-list SSHtraffic extended permit any any eq 22
description Any SSH network traffic
match access-list SSHtraffic
set connection timeout tcp 00:05:00 reset
service policy SSHtimeout interface outside
"Erik Dahle" <erikda@xxxxxxxxx> wrote in message
Barry Margolin wrote:
In article <46bc60f7$0$21249$39cecf19@xxxxxxxxxxxxxxxxxx>,
"Scott Perry" <scottperry@aciscocompany> wrote:
I really seriously doubt it. My first answer is to say no, that there
is no way that a Cisco PIX firewall will terminate your SSH session
after a period of inactivity for you.
Think of it like this: The SSH session is secure shell - an encrypted
connection. How is the PIX to know when it is active or inactive?
There will be TCP keepalives going back and forth and perhaps some data
from the SSH server to the client, but the PIX would not know what is in
the SSH data.
I don't know PIX, but many firewalls have the ability to terminate idle
connections of any type. The firewall should be able to tell the
difference between TCP keepalives and actual data packets. It can't tell
what's IN the data packets if they're encrypted, but why would it need
to? All it needs to know is whether any application-layer data is being
transmitted over the connection.
Indeed, every stateful firewall has the ability to terminate idle
connections. They must have, if not the state table would never stop
Whenever a packet that matches a state-table entry goes through the
firewall, it will reset that entry's timer.
If an entry has not been in use for say 1 hour, a process will declare
that connection dead, and erase it.
Many applications avoid this by sending keep-alive packets.
On pix this timeout is set by "timeout xlate".
I don't know pix very well, but one some firewalls, you can adjust the
timeout pr port basis. So you can say that the default timeout is 1 hour,
but for port 22 tcp, it's 24 hours.
- Prev by Date: Re: Backup PIX image
- Next by Date: RDP на исходящие публичные адреса режутся
- Previous by thread: Re: who does session disconnects
- Next by thread: Re: who does session disconnects