Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Timeout settings on PIX

Status
Not open for further replies.
Apr 17, 2006
27
US
Hello,

With reference to a PIX 525 running ver 6.3(3) -

I have a host (hereafter referred as client) behind this PIX with a static one-to-one NAT.

The client needs to connect via TCP to an external server on a specific port for a proprietary application. The connection is always initiated from my client to the server.

The application access is controlled by a service running on the client, which periodically stops and restarts. If the service is restarted, the server still sees the client as connected from before the restart, and will not allow a new connection.

The timeout settings on the PIX are the default:

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00

I'm guessing the problem is because even though the client closes the connection, the xlate is maintained by the PIX. Will that have to be changed to allow the client to reconnect immediately?

If so, is that a global setting or can it be changed only for this client-server connection?

Thanks a lot for any suggestions!

-Pix Rookie :)
 
After some further thought about "I'm guessing the problem is because even though the client closes the connection, the xlate is maintained by the PIX" - that doesnt really make sense because the connection that is torn down by the client is at the transport level, but the xlate table is maintained by the PIX at the IP layer.

Is the PIX still maintaining the connection with the server?

Now, even more confused :-(
 
The pix won't maintain connections. It will keep the xlate slot open for a while so it doesn't have to go through the cpu cycles to create and tear down new ones if there will still be traffic.
I would check the server to see what is happening on it's end.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Sounds like the server is maintaining the session. The PIX is just the middle man and is not going to keep this type of connection alive for you.
 
Supergrrover and NetworkGhost - thanks for your replies.

I agree and think the client is closing the session from its side, but the server is not, so the connection is in a 'halfclosed' state. Since the PIX will timeout this connection only after 10 minutes, the client is unable to create a fresh connection with the server.

Since the server side folks are a bunch of ********* , I'll probably upgrade my PIX to ver 7.X to use the MPF feature and reduce the timeout.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top