Cisco 3750 Default timeout setting

[TTLBen]

Hi all,

We are current using the Cisco 3750 switch. We have disabled the sysauthcontrol as shown below:

CoreHoiso1#show dot1x all
Sysauthcontrol Disabled
Dot1x Protocol Version 2
Critical Recovery Delay 100
Critical EAPOL Disabled

However, we found that if there is a connection idle for about 60 minutes there is a timeout. So I want to ask if anyone knows if there is any default idle timeout setting for this switch even if the sysauthcontrol is set to disabled.

I checked the user manual and found that most of the timeout settings are only applied for sysauthcontrol = enabled. So I want to ask if anyone has came across this before

Any help is appreciated
Thanks

 

[TTLBen]

Hi I am still encountering problem with this issue,
I want to ask if anyone know if there is any default timeout value set for this switch even if the sysauthcontrol is disabled ??

Thanks
Ben

 

[Cluebird]

Hard to tell what you're asking, but if this is for admin access to the switch there is a timeout on the vty lines. By default it is set to 10 minutes of inactivity but is configurable. If you haven't already, look at:

show run | begin line

If you see:

line vty 0 15
exec-timeout 60 0

That is what is timing out the admin session.

Not enough info though to tell. Post a sanitized 'show run' if you need.

 

[TTLBen]

Thanks for your reply Cluebird

What I meant is that. Currently we have two machines connected through the switch. Let's say machine A and machine B

The application installed on machine A used port 1234(random port) to connected to machine B 's port 5100(The port that we preset-ed as the listening port in our application)

We used this port to do some message passing. However, there is no heartbeat through this port, which means whenever we are not passing any message,the connection becomes idle.

We noticed that if we let the connection sit there for around an hour then we tried to send another message afterward, we found that the message could not be delivered. So I am wondering if there is any default idle timeout setting preset in the device

Thanks a lot for your help
Ben

 

[Cluebird]

I doubt the switch is the culprit. However, there are underlying databases that might be timing out such as the arp cache on the hosts or even the mac address-table on the switch. Both those databases will clear unused entries after 5 minutes of inactivity, but a 60 min timeout indicates something at a higher layer usually associated with authentication. Are you using TACACS+ or RADIUS? Is the application web-based just with different ports? And are the hosts on the same network or is there a router and/or firewall device between them?

 

[VinceWhirlwind]

The switch has no part to play in maintaining your connection.

All the switch does is read the source/destination MAC addresses of each frame and pass it out the relevant switchport the destination MAC address is mapped to. If there has been no activity for some minutes, the destination MAC is cleared from the switch. If it receives a frame for that MAC address after that time, it will pass the frame out *every* switchport because it doesn't know which switchport to send it to, and your destination device will receive it anyway.

You should connect your PC & Server directly via a crossover cable so as to eliminate the red herring of worrying about whether the switch is responsible.

 

[TTLBen]

Thanks for your replies Cluebird & VinceWhirlwind

@ Cluebird : Yes I believe that the timeout is on the higher layer associated with authentication and currently I found that there is a firewall existed between the two machines(Kaspersky firewall). But we already changed all the idle timeout setting for the Kaspersky already.

"Are you using TACACS+ or RADIUS? Is the application web-based just with different ports? And are the hosts on the same network or is there a router and/or firewall device between them? "

I am not exactly sure about the whole hardware setup at the moment because me(the vendor) only provides the software for them. But I do believe that it has to be the firewall which caused the problem now. I will try to look into it.

@VinceWhirlwind : "You should connect your PC & Server directly via a crossover cable"
Yes I will try to "convince" them to setup the devices as you suggested.


But I want to ask, like you stated : "If there has been no activity for some minutes" is there anyway i can set this time period

Thank you very much for all your help!

 

[Cluebird]

The mac-address table (or CAM table on high-end switches) doesn't have a configurable timer.

My focus will be on the firewall. I'm not familiar with the Kapersky but a Cisco firewall will timeout connections eventually when they aren't being used. After all, that's what a firewall is supposed to do. If you need to maintain the connection forever, you'll need some sort of keepalive on the connection such as a periodic ping.

 

[Cluebird]

You might look into ip sla as a keepalive, but that may be too broad for what you're doing.

https://supportforums.cisco.com/thread/2127218

 

[VinceWhirlwind]

Like I said, the switch is a red herring - it plays no part in maintaining your connection and its job is to pass frames regardless of whether they belong to any TCP connection of any kind.

Having said that, you can manually configure a MAC address into the ARP table so it is there permanently.
There's very rarely any reason to do so.

If you're having trouble convincing somebody, much better will be to take packet captures and show them the connection being reset by one of the endpoints.