question about timeout conn

- J
- Joseph R
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Fri, Apr 21, 2006 3:50 PM

'timeout conn' Controls all active tcp sessions through a pix correct? Such as rdp, telnet, client-server communications etc...

- J
- Joseph R
  
  Contact options for registered users
posted
18 years ago

Fri, Apr 21, 2006 3:55 PM

'timeout conn' Controls all active tcp sessions through a pix correct? Such as rdp, telnet, client-server communications etc...

What are the repercusions of setting the timeout to a high value around

5-9 hours. We are working with a highly distributed network of vpn's joing roughly 15 offices. I worry that setting the timeout to a high value that it might impact the pix unit adversely.

Any input would be great. Thanks,

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Sat, Apr 22, 2006 12:41 AM

Close, but not -exactly-, in that a few TCP protocols have individual timers -- RPC for example.

timeout conn only affects -idle- connections. Each active connection uses some memory. If your systems generate idle connections faster than they are cleaned up by 'timeout conn' then you would eventually run out of memory.

RDP and telnet and most client-server communications don't generate many connections. http can generate a lot of connections, but it is not common for http connections to sit idle (but it could happen.)

The only thing I've encountered so far that generated a noticable number of idle connections is MS Exchange client talking to an Exchange 2000 server.