We have a timeout problem with Sybase connections on the FWSM on a Cisco 6500. The developers need connections open for more than an hour over TCP, we want to restrict that to an hour for security reasons. Has anyone implemented the "reset" keyword on the "set connection timeout tcp hh:mm:ss" command? Can you share your experiences?
Here's the theory from Cisco:
The tcp hh:mm:ss keyword sets the idle timeout between 0:5:0 and 1092:15:0. The default is 0:60:0 . You can also set this value to 0, which means the connection never times out. The reset keyword sends a reset to TCP endpoints when the connection times out. The FWSM sends the reset packet only in response to a host sending another packet for the timed-out flow (on the same source and destination port). The host then removes the connection from its connection table after receiving the reset packet. The host application can then attempt to establish a new connection using a SYN packet.
In the real world, things sometimes work differently, so if you've done this, can you share your info on whether hosts succeed in reestablishing their connections after the hour?
Here's the theory from Cisco:
The tcp hh:mm:ss keyword sets the idle timeout between 0:5:0 and 1092:15:0. The default is 0:60:0 . You can also set this value to 0, which means the connection never times out. The reset keyword sends a reset to TCP endpoints when the connection times out. The FWSM sends the reset packet only in response to a host sending another packet for the timed-out flow (on the same source and destination port). The host then removes the connection from its connection table after receiving the reset packet. The host application can then attempt to establish a new connection using a SYN packet.
In the real world, things sometimes work differently, so if you've done this, can you share your info on whether hosts succeed in reestablishing their connections after the hour?
