Hello A TCP session with no keep-alive (in accordance to rfc1122), is closed by Cisco PIX firewall (routing mode, NAT). Increasing "timeout conn" seems problematic. How Cisco PIX should be cofigured to enable a spesific idle session? Ilan
Thanks for your answers,
Is PIX6 to PIX7 a firmware upgrade?
May I understand from your answer that PIX7 would support an idle session?
( Sorry for the new thread, but I got the message: Unable to retrieve message d6c2p2$93b$ snipped-for-privacy@canopus.cc.umanitoba.ca )
Ilan
In article , Ilan wrote: :A TCP session with no keep-alive (in accordance to rfc1122), :is closed by Cisco PIX firewall (routing mode, NAT). :Increasing "timeout conn" seems problematic. :How Cisco PIX should be cofigured to enable a spesific idle session?
I already answered this question for you when you posted it yesterday in comp.protocols.tcp-ip in the thread "TCP connection with no keep-alive over Cisco PIX"
To summarize: in PIX 6.x, there is no way to change the timeout for a particular session.
If you are using PIX 7.0(1), then you should say so specifically, as there are quite a few differences and few people have had time to become familiar with them.
Also, as I indicated in my previous response, PIX questions are probably best directed to the newsgroup for the manufacturer, comp.dcom.sys.cisco .
[Note: in this -particular- case there wouldn't be much benefit to reposting the same question to c.d.s.c, as I would just end up being the one answering it again. Unless, that is, you are indeed using 7.0(1), which I haven't had time to research the limits of as yet.]In article , Ilan wrote: :Is PIX6 to PIX7 a firmware upgrade?
No, it's a software update. PIX 7.0(1) is available for the PIX 515/515E, 525, and 535 only.
:May I understand from your answer that PIX7 would support an idle session?
No, you should understand from my answer that PIX 7.0(1) is new (April 2, 2005), that there are a large number of changes in it, that I have not had a chance to test it myself, and I have not had a chance to study the documentation in detail. Under the circumstances, it would be wrong for me to rule out the possibility that PIX 7.0(1) allows per-session or per-ACL idle times.
I do not -remember- seeing anything like that in the release notes, but I was not looking for it and I might have overlooked it -- and the release notes sometimes overlook new capabilities that are described in the Command Reference. There might be some new capability introduced. I don't think it is -likely- but to say Yes or No with certainty would require someone more familiar with the PIX 7.0(1) documentation.
As I indicated in an earlier answer, if you do not want idle TCP sessions to time out, you can set the idle timeout to 0:00:00, but that will affect *all* sessions. It would effectively crash our PIX within a few days if we did it at our site, as we use a program that I have no realistic hope of banning but which never cleans up after itself.
I understand you have already encountered the closed idle session problem. How did you eventually solve it?
Could you have a contact point to a PIX7 expert?
Thanks !
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.