16-3
Cisco ASA Series Firewall CLI Configuration Guide
 
Chapter 16      Connection Settings
  Configure Connection Settings
Configure Global Timeouts
You can set the global idle timeout durations for the connection and translation slots of various protocols. 
If the slot has not been used for the idle time specified, the resource is returned to the free pool. TCP 
connection slots are freed approximately 60 seconds after a normal connection close sequence. 
Changing the global timeout sets a new default timeout, which in some cases can be overridden for 
particular traffic flows through service policies. 
Procedure
Step 1 Use the timeout command to set global timeouts.
hostname(config)# timeout feature time 
All timeout values are in the format hh:mm:ss, with a maximum duration of 1193:0:0. Use the no 
timeout command to reset all timeouts to their default values. If you want to simply reset one timer to 
the default, enter the timeout command for that setting with the default value.
Use 0 for the value to disable a timer.
You can configure the following global timeouts.
• timeout conn hh:mm:ss—The idle time after which a connection closes, between 0:5:0 and 
1193:0:0. The default is 1 hour (1:0:0).
• timeout half-closed hh:mm:ss—The idle time until a TCP half-closed connection closes. The 
minimum is 5 minutes. The default is 10 minutes.
• timeout udp hh:mm:ss—The idle time until a UDP connection closes. This duration must be at least 
1 minute. The default is 2 minutes.
• timeout icmp hh:mm:ss—The idle time for ICMP, between 0:0:2 and 1193:0:0. The default is 2 
seconds (0:0:2).
• timeout sunrpc hh:mm:ss—The idle time until a SunRPC slot is freed. This duration must be at least 
1 minute. The default is 10 minutes.
• timeout H323 hh:mm:ss—The idle time after which H.245 (TCP) and H.323 (UDP) media 
connections close, between 0:0:0 and 1193:0:0. The default is 5 minutes (0:5:0). Because the same 
connection flag is set on both H.245 and H.323 media connections, the H.245 (TCP) connection 
shares the idle timeout with the H.323 (RTP and RTCP) media connection. 
• timeout h225 hh:mm:ss—The idle time until an H.225 signaling connection closes. The H.225 
default timeout is 1 hour (1:0:0). To close a connection immediately after all calls are cleared, a 
value of 1 second (0:0:1) is recommended. 
• timeout mgcp hh:mm:ss—The idle time after which an MGCP media connection is removed, 
between 0:0:0 and 1193:0:0. The default is 5 minutes (0:5:0)
• timeout mgcp-pat hh:mm:ss—The absolute interval after which an MGCP PAT translation is 
removed, between 0:0:0 and 1193:0:0. The default is 5 minutes (0:5:0). The minimum time is 30 
seconds.
• timeout sip hh:mm:ss—The idle time until a SIP signaling port connection closes, between 0:5:0 
and 1193:0:0. The default is 30 minutes (0:30:0).
• timeout sip_media hh:mm:ss—The idle time until an SIP media port connection closes. This 
duration must be at least 1 minute. The default is 2 minutes. The SIP media timer is used used for 
SIP RTP/RTCP with SIP UDP media packets, instead of the UDP inactivity timeout.