Cisco 7604 Configuration Manual page 403

Chapter 21 Configuring Advanced Connection Features
You can enter this command all on one line (in any order), or you can enter each attribute as a separate
command. The FWSM combines the command into one line in the running configuration.
Step 4 To set the timeout for TCP embryonic connections (half-opened) or TCP half-closed connections, enter
the following command:
hostname(config-pmap-c)# set connection timeout {[embryonic hh:mm:ss] [half-closed
hh:mm:ss]}
where the embryonic hh:mm:ss keyword sets the timeout period until a TCP embryonic (half-open)
connection is closed, between 0:0:1 and 0:4:15. The default is 0:0:20. You can also set this value to 0,
which means the connection never times out.
The half-closed hh:mm:ss keyword sets the idle timeout between 0:0:1 and 0:4:15. The default is 0:0:20.
You can also set this value to 0, which means the connection never times out. The FWSM does not send
a reset when taking down half-closed connections.
You can enter this command all on one line (in any order), or you can enter each attribute as a separate
command. The command is combined onto one line in the running configuration.
Note
Step 5 To set the timeout for idle connections for all protocols, enter the following command:
hostname(config-pmap-c)# set connection timeout idle hh:mm:0
where the idle hh:mm:0 argument defines the idle time after which an established connection of any
protocol closes, between 0:5:0 and 1092:15:0. The default is 0:60:0. You can also set the value to 0,
which means the connection never times out.
Note
Step 6 To activate the policy map on one or more interfaces, enter the following command:
hostname(config)# service-policy policymap_name {global | interface interface_name}
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
This command does not affect secondary connections created by an inspection engine. For
example, you cannot change the connection settings for secondary flows like SQL*Net, FTP
data flows, and so on using the set connection timeout command. For these connections, use
the global timeout conn command to change the idle time. Note that the timeout conn command
affects all traffic flows unless you otherwise use the set connection timeout command for
eligible traffic.
This command ignores the value you set for seconds; you can only specify the hours and
minutes. Therefore, you should set the seconds to be 0.
The idle keyword has replaced the tcp keyword in the set connection timeout command, but if
your configuration includes the tcp command (for TCP connections only), it is still accepted. If
your policy includes both the idle and tcp commands, then the tcp command takes precedence
for TCP traffic only if the class map matches an access list that specifies TCP traffic explicitly.
See the set connection timeout command in the Catalyst 6500 Series Switch and Cisco 7600
Series Router Firewall Services Module Command Reference for more information.
This command does not affect secondary connections created by an inspection engine. For
example, you cannot change the connection settings for secondary flows like SQL*Net, FTP
data flows, and so on using the set connection timeout command. For these connections, use
the global timeout conn command to change the idle time. Note that the timeout conn command
affects all traffic flows unless you otherwise use the set connection timeout command for
eligible traffic.
Configuring Connection Limits and Timeouts
21-3