Solved

Cisco ASA Timeout Conn setting, what are the risks of lowering?

Posted on 2015-01-19
1
388 Views
Last Modified: 2015-01-20
Have an ASA that is over utilized in general. Working on temporary measures to free up any resources/bandwidth on the box. Until new hardware arrives

What is the danger of setting the Timeout Conn to say, 5, or 2 minutes? This FW is mostly used for web browsing traffic. I believe I read an article on increasing ASA performance suggesting to lower it to 2 minutes, which is the default for the FWSM module.

Thoughts?
0
Comment
Question by:LIBBB
1 Comment
 
LVL 7

Accepted Solution

by:
tolinrome earned 500 total points
ID: 40557880
This command will show you what all your timeouts are set for on the ASA:

(config)# show running-config | include timeout

Default for TCP connections (web traffic) for timeout is 1 hour. As long as you dont have an application that needs or expects idle connections (for example an application to SQL database), it probably wouldn't have much impact at all on the firewall, depending on how many TCP connections, of course though it would free up resources. If you did have an application as mentioned that needed a timeout you could create a policy map for it that will only enforce the idle time for that only, nothing else.

Make sure that your policy map global policy already isnt inspecting necessary traffic and causing unnecessary strain on the firewall.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Article by: rfc1180
The Maximum Segment size (MSS) is an important consideration when troubleshooting connectivity via the Internet/Intranet. As the packets are routed via the Internet/Intranet, the packets must traverse through multiple routers in the path between two…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now