This would be done using the Modular Policy Framework (if I remember the name correctly.) I think you should be able to perhaps configure this longer UDP timeout of 90min only apply to certain UDP connections if you specify the source/destination IP addresses/netorks and ports used and only apply this special timeout to those connections while leaving the rest to the global 2min timeout. I would imagine that also depending on the NAT configuration you might be left with a lot on active translations in the xlate table. If the limit was reached, no new connections could be made even if the UDP connections were just idle and not in use.
Mainly thinking about the maximum limit of connections on the ASA depending on the model. I would also imagine that it would take a lot of connections to eventually reach the point where this might hurt your firewall performance. I would imagine with random UDP connections setting the timeout to 90min instead of the global default of 2min might mean that there would be several UDP connections hanging on the firewall useless. When talking about UDP connections I guess most of the command UDP connections like DNS queries and replies will get removed from the firewall as soon as the firewall has seen the reply for the DNS query. Actually just ran into such a problem in a last couple of weeks. I havent had to modify timeouts that often on an ASA but when I have had to change them its usually been applications TCP connections that for a reason or another dont have any builtin keepalive.
0 kommentar(er)
