Solved

Cisco ASA Timeout Conn setting, what are the risks of lowering?

Posted on 2015-01-19
1
444 Views
Last Modified: 2015-01-20
Have an ASA that is over utilized in general. Working on temporary measures to free up any resources/bandwidth on the box. Until new hardware arrives

What is the danger of setting the Timeout Conn to say, 5, or 2 minutes? This FW is mostly used for web browsing traffic. I believe I read an article on increasing ASA performance suggesting to lower it to 2 minutes, which is the default for the FWSM module.

Thoughts?
0
Comment
Question by:LIBBB
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 7

Accepted Solution

by:
tolinrome earned 500 total points
ID: 40557880
This command will show you what all your timeouts are set for on the ASA:

(config)# show running-config | include timeout

Default for TCP connections (web traffic) for timeout is 1 hour. As long as you dont have an application that needs or expects idle connections (for example an application to SQL database), it probably wouldn't have much impact at all on the firewall, depending on how many TCP connections, of course though it would free up resources. If you did have an application as mentioned that needed a timeout you could create a policy map for it that will only enforce the idle time for that only, nothing else.

Make sure that your policy map global policy already isnt inspecting necessary traffic and causing unnecessary strain on the firewall.
0

Featured Post

Enroll in June's Course of the Month

June’s Course of the Month is now available! Experts Exchange’s Premium Members, Team Accounts, and Qualified Experts have access to a complimentary course each month as part of their membership—an extra way to sharpen your skills and increase training.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: rfc1180
The Maximum Segment size (MSS) is an important consideration when troubleshooting connectivity via the Internet/Intranet. As the packets are routed via the Internet/Intranet, the packets must traverse through multiple routers in the path between two…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question