Teneo !!!

Aaron’s blog on Networking, and Enterprise Technology

Cisco ASA Firewall

I really love the ASA firewall. Cisco did the right thing in moving the Pix to a more modular and L7-aware firewall. I am using a couple of 5520’s for the corporate office and VPN Clients, a 5510 for SSL-VPN (which is waaay cool), and various 5505’s at offices worldwide for site-to-site VPN access.

However, there is still one aspect of the firewall I don’t like, and I haven’t liked it since the Pix days. That’s the idle-timeout limit for remote-access vpn connections.

I’m assuming the timeout value comes from how much data (i.e. bandwidth) is seen over the tunnel, and if it hasn’t seen any data over a certain time-period, it shuts down the tunnel. Ever since the Pix days, Cisco has not yet given us the ability to modify that threshold (i.e. how much data is still considered nominal).

Why do I want to change that threshold? Well, I have lots of users that run “chatty” applications while on the VPN. Email is one of them… every 5 minutes, it polls the mail server and downloads new messages. According to the firewall, that’s active data, and resets the idle timeout counter.

Wouldn’t it be nice if we can say something like….”less than 2kbps consider it idle”.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: