Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Timeout settings on PIX

Status
Not open for further replies.
mustaine737

mustaine737

ISP
Apr 17, 2006
27
US
Hello,

With reference to a PIX 525 running ver 6.3(3) -

I have a host (hereafter referred as client) behind this PIX with a static one-to-one NAT.

The client needs to connect via TCP to an external server on a specific port for a proprietary application. The connection is always initiated from my client to the server.

The application access is controlled by a service running on the client, which periodically stops and restarts. If the service is restarted, the server still sees the client as connected from before the restart, and will not allow a new connection.

The timeout settings on the PIX are the default:

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00

I'm guessing the problem is because even though the client closes the connection, the xlate is maintained by the PIX. Will that have to be changed to allow the client to reconnect immediately?

If so, is that a global setting or can it be changed only for this client-server connection?

Thanks a lot for any suggestions!

-Pix Rookie :)
 
Sort by date Sort by votes
After some further thought about "I'm guessing the problem is because even though the client closes the connection, the xlate is maintained by the PIX" - that doesnt really make sense because the connection that is torn down by the client is at the transport level, but the xlate table is maintained by the PIX at the IP layer.

Is the PIX still maintaining the connection with the server?

Now, even more confused :-(
 
Upvote 0 Downvote
The pix won't maintain connections. It will keep the xlate slot open for a while so it doesn't have to go through the cpu cycles to create and tear down new ones if there will still be traffic.
I would check the server to see what is happening on it's end.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Sounds like the server is maintaining the session. The PIX is just the middle man and is not going to keep this type of connection alive for you.
 
Upvote 0 Downvote
Supergrrover and NetworkGhost - thanks for your replies.

I agree and think the client is closing the session from its side, but the server is not, so the connection is in a 'halfclosed' state. Since the PIX will timeout this connection only after 10 minutes, the client is unable to create a fresh connection with the server.

Since the server side folks are a bunch of ********* , I'll probably upgrade my PIX to ver 7.X to use the MPF feature and reduce the timeout.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
322
Sameer258
Sameer258
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
100
PauS0n
PauS0n
mcisar
  • Locked
  • Question
Disable CHAP on PPPoE WAN connection
Replies
0
Views
111
mcisar
mcisar
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
68
xwray
xwray
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
79
brownmab53
brownmab53

Part and Inventory Search

Sponsor

Back
Top