Our Cisco ASA 5515 will sometimes have thousands of connections with an idle time > the configured connection timeouts. In many cases the connections show as idle for 100+ hours. This eventually leads to NAT/PAT exhaustion and we need to close connections manually. "show conn detail" will display tons of connections like this:
TCP Outside: XXX.XXX.XXX.XXX/443 Inside: YYY.YYY.YYY.YYY/#####, flags xA , idle 46D18h, uptime 146D4h, timeout -, bytes 0
However if I do show running-config timeout, it seems like all the timeouts are unchanged from the ASA default values:
Result of the command: show running-config timeout
timeout xlate 3:00:00
timeout pat-xlate 0:01:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
Why do my connections show a Timeout of -? I assume this is indicating that these connections will never time out. We only see this issue for TCP connections – UDP seem to timeout and close properly.
Best Answer
TCP is an actual two-way conversation between two hosts, and it has an inherent timeout. It has a specific sequence of events to create and end a conversation. The ASA knows about such things.
On the other hand, UDP is connectionless, and it requires a configured timeout so that the ASA can make a reasonable guess as to when a conversation is done.