Timeouts

You can set the global idle timeout durations for the connection and translation slots of various protocols. If the slot has not been used for the idle time specified, the resource is returned to the free pool.

You can also set a time out for console sessions with the device.

Procedure

Step 1

Choose Devices > Platform Settings and create or edit the threat defense policy.

Step 2

Select Timeouts.

Step 3

Configure the timeouts you want to change.

For any given setting, select Custom to define your own value, Default to return to the system default value. In most cases, the maximum timeout is 1193 hours.

You can disable some timeouts by selecting Disable.

  • Console Timeout—The idle time until a connection to the console is closed, range is 0 or 5 to 1440 minutes. The default is 0, which means the session does not time out. If you change the value, existing console sessions use the old timeout value. The new value applies to new connections only.

  • Translation Slot (xlate)The idle time until a NAT translation slot is freed. This duration must be at least 1 minute. The default is 3 hours.

  • Connection (Conn)The idle time until a connection slot is freed. This duration must be at least 5 minutes. The default is 1 hour.

  • Half-ClosedThe idle time until a TCP half-closed connection closes. A connection is considered half-closed if both the FIN and FIN-ACK have been seen. If only the FIN has been seen, the regular connection timeout applies. The minimum is 30 seconds. The default is 10 minutes.

  • UDPThe idle time until a UDP connection closes. This duration must be at least 1 minute. The default is 2 minutes.

  • ICMPThe idle time after which general ICMP states are closed. The default (and minimum) is 2 seconds.

  • RPC/Sun RPCThe idle time until a SunRPC slot is freed. This duration must be at least 1 minute. The default is 10 minutes.

    In a Sun RPC-based connection, when the parent connection is deleted or timed-out, a new child connection may not be considered as a part of the parent-child connection, and thereby the new connection could be evaluated as per the policy or rules set in the system. After the parent connection has timed-out the existing child connections are valid only until the timeout value set is reached.

  • H.225The idle time until an H.225 signaling connection closes. The default is 1 hour. To close a connection immediately after all calls are cleared, a timeout of 1 second (0:0:1) is recommended.

  • H.323The idle time after which H.245 (TCP) and H.323 (UDP) media connections close. The default (and minimum) is 5 minutes. Because the same connection flag is set on both H.245 and H.323 media connections, the H.245 (TCP) connection shares the idle timeout with the H.323 (RTP and RTCP) media connection.

  • SIPThe idle time until a SIP signaling port connection closes. This duration must be at least 5 minutes. The default is 30 minutes.

  • SIP MediaThe idle time until a SIP media port connection closes. This duration must be at least 1 minute. The default is 2 minutes. The SIP media timer is used for SIP RTP/RTCP with SIP UDP media packets, instead of the UDP inactivity timeout.

  • SIP DisconnectThe idle time after which SIP session is deleted if the 200 OK is not received for a CANCEL or a BYE message, between 0:0:1 and 0:10:0. The default is 2 minutes (0:2:0).

  • SIP InviteThe idle time after which pinholes for PROVISIONAL responses and media xlates will be closed, between 0:1:0 and 00:30:0. The default is 3 minutes (0:3:0).

  • SIP Provisional MediaThe timeout value for SIP provisional media connections, between 1 and 30 minutes. The default is 2 minutes.

  • Floating ConnectionWhen multiple routes exist to a network with different metrics, the system uses the one with the best metric at the time of connection creation. If a better route becomes available, then this timeout lets connections be closed so a connection can be reestablished to use the better route. The default is 0 (the connection never times out). To make it possible to use better routes, set the timeout to a value between 0:0:30 and 1193:0:0. This timer does not apply to connections through virtual tunnel interfaces (VTI). If a connection through a VTI gets stuck, you must manually clear it.

  • Xlate PATThe idle time until a PAT translation slot is freed, between 0:0:30 and 0:5:0. The default is 30 seconds. You may want to increase the timeout if upstream routers reject new connections using a freed PAT port because the previous connection might still be open on the upstream device.

  • TCP Proxy ReassemblyThe idle timeout after which buffered packets waiting for reassembly are dropped, between 0:0:10 and 1193:0:0. The default is 1 minute (0:1:0).

  • ARP Timeout—The number of seconds between ARP table rebuilds, from 60 to 4294967. The default is 14,400 seconds (4 hours).

Step 4

Click Save.

You can now go to Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them.