Aggressively killing idle sessions

Advertisement
I have an internal problem due to a third party that is causing TCP session resets to not reach my boarder ASA. This is causing me problems on the Internet side as these connections hang around for up to 5min which appears to be the minimum TCP timeout allowed by an ASA for an established TCP session.
This traffic is being NATed and thus my public IP is bumping into open session limits with a remote party because of this...
Until I can correctly fix the internal issue (not under my control) is there any way i can kill off these sessions faster? When working correctly these sessions only last 15-30s and there a a lot of them, so the 5min idle timeout limit is killing me.
As far as I can tell changing dead link detection and xlate timeouts will not work since they happen AFTER the TCP ideal timeout (minimum 5min).
Any IDEAS? I do have a specific set of source addresses and one specific destination IP and port involved in this issue so making an aggressive change specific to this traffic would be ideal.
Advertisement

Replay

Hi,
Maybe you can use this document to help with this case?
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_connlimits.html
Or had you tried this yet?
You should be able to match certain traffic and apply different timeout rules for that traffic without affecting the global settings
I quickly configured this on my home ASA and this is the ouput of the "show conn long" with one TCP connection to which the new timeout is applied
TCP WAN:y.y.y.y/443 (y.y.y.y/443) WLAN:10.0.255.20/57598 (x.x.x.x/57598), flags UIO, idle 27s, uptime 28s, timeout 1m0s, bytes 5635
You are able to set the timeout even in seconds. A simple test configuration I used to match ALL traffic (which probably isnt the case in your situation)
class-map CONNS
match any
policy-map global_policy
class inspection_default
class CONNS
  set connection timeout idle 0:01:00
Hope this helps
- Jouni