Configuring Default Timeout Settings for Services Interfaces
You can specify global default settings for certain timers that apply for the entire interface. There are two statements of this type:
- inactivity-timeout—Sets the inactivity timeout period for established flows, after which they are no longer valid.
- open-timeout—Sets the timeout period for Transmission Control Protocol (TCP) session establishment, for use with SYN-cookie defenses against network intrusion.
To configure a setting for the inactivity timeout period, include the inactivity-timeout statement at the [edit interfaces interface-name services-options] hierarchy level:
The default value is 30 seconds. The range of possible values is from 4 through 86,400 seconds. Any value you configure in the application protocol definition overrides the value specified here; for more information, see Configuring Application Protocol Properties.
To configure a setting for the TCP session establishment timeout period, include the open-timeout statement at the [edit interfaces interface-name services-options] hierarchy level:
The default value is 30 seconds. The range of possible values is from 4 through 224 seconds. Any value you configure in the intrusion detection service (IDS) definition overrides the value specified here; for more information, see Intrusion Detection Properties.
Use of Keep-Alive Messages for Greater Control of TCP Inactivity Timeouts
Keep-alive messages are generated automatically to prevent TCP inactivity timeouts. The default number of keep-alive messages is 4. However, you can configure the number of keep-alive messages by entering the tcp-tickles statement at the [edit interaces interface-name service-options] hierarchy level.
When timeout is generated for a bidirectional TCP flow, keep-alive packets are sent to reset the timer. If number of consecutive keep-alive packets sent in a flow reaches the default or configured limit, the conversation is deleted. There are several possible scenarios, depending on the setting of the inactivity-timer and the default or configured maximum number of keep-alive messages.
- If the configured value of keep-alive messages is zero and inactivity-timeout is NOT configured (in which case the default timeout value of 30 is used), no keep-alive packets are sent. The conversation is deleted when any flow in the conversation is idle for more than 30 seconds.
- If the configured value of keep-alive messages is zero and the inactivity-timeout is configured, no keep-alive packets are sent, and the conversation is deleted when any flow in the conversation is idle for more than the configured timeout value.
- If the default or configured maximum number of keep-alive messages is some positive integer, and any of the flows in a conversation is idle for more than the default or configured value for inactivity-timeout keep-alive packets are sent. If hosts do not respond to the configured number of consecutive keep-alive packets, the conversation is deleted. The interval between keep-alive packets will be 1 second. However, if the host sends back an ACK packet, the corresponding flow becomes active, and keep-alive packets are not sent until the flow becomes idle again.
