Increase TCP timeouts on Cisco ASA – for example traffic destinated to your SQL-server.

Did you ever have a run-in with applications terribly sensitive in terms of losing their database-connection and you need to increase the time-out the TCP-connections to this server?

This configuration basically matches all traffic to one specific IP-adress and uses a service-policy to give it a longer timeout value.

To check our default timeout we can find it in the configuration file
show running-config | include timeout
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

First off, create an access-list with desired granularity. In the example I have chosen to match all traffic to a specific IP-address regardless of which protocol or port is used.

access-list extended-connection-timeout remark “ACL to match inbound traffic which require increased TCP-timeout”
access-list extended-connection-timeout permit ip any host 10.10.10.10

Create a class-map which contains a matching statement to the ACL.

class-map sqlserver-traffic
description “Used to match ACL with relevant traffic”
match access-list extended-connection-timeout

Next, create a policy-map, or “Modular Policy Framework parameter map” as it also referred to, and define the timeout-value.
You may also define timeouts for half-closed and embryonic connections.

policy-map sqlserver-conns
class sqlserver-traffic
set connection timeout tcp 3:00:00

Next you need to put the policy-map into effect.
You’ll probably find that your global_policy is used globally, so you’ll need to put it into effect on an interface.
service-policy sqlserver-conns interface serverinterface

All done. Traffic traversing the serverinterface, which match access-list for inbound traffic to the 10.10.10.10-server will get a timeout-value of three hours.

5.00 avg. rating (99% score) - 1 vote

Leave a Reply

Your email address will not be published. Required fields are marked *