Setting The Session Aging Time For Different Application Layer Protocols - HP VSR1000 Security Configuration Manual

Step
2. Set the session aging time for
different protocol states
Setting the session aging time for different
application layer protocols
IMPORTANT:
For more than 800000 sessions, do not set short aging time. Otherwise, the device might be slow in
response.
The aging time for session of different application layer protocols are valid for TCP sessions in
ESTABLISHED state or UDP sessions in READY state. If a session has no packet hit before the aging time
expires, the device automatically removes the session. For sessions used by other application layer
protocols, the aging time for sessions in different protocol states applies.
Set an appropriate aging time to guarantee protocol packet exchange. For example, if the aging time for
FTP session is shorter than the interval for sending FTP keepalive messages, an FTP session cannot be
maintained.
To set the session aging time for different application layer protocols:
Command
session aging-time state { fin |
icmp-reply | icmp-request |
rawip-open | rawip-ready | syn |
tcp-est | udp-open | udp-ready |
udplite-open | udplite-ready |
dccp-request | dccp-est |
dccp-closereq | sctp-init | sctp-est
| sctp-shutdown | icmpv6-request
| icmpv6-reply } time-value
303
Remarks
•
The default aging time for
sessions in different protocol
states is as follows:
•
FIN_WAIT: 30 seconds.
•
ICMP-REPLY: 30 seconds.
•
ICMP-REQUEST: 60 seconds.
•
RAWIP-OPEN: 30 seconds.
•
RAWIP-READY: 60 seconds.
•
TCP SYN-SENT and SYN-RCV:
30 seconds.
•
TCP ESTABLISHED: 3600
seconds.
•
UDP-OPEN: 30 seconds.
•
UDP-READY: 60 seconds.
•
UDPLITE-OPEN: 30 seconds.
•
UDPLITE-READY: 60 seconds.
•
DCCP-REQUEST: 30 seconds.
•
DCCP-EST: 3600 seconds.
•
DCCP-CLOSEREQ: 30
seconds.
•
SCTP-INIT: 30 seconds.
•
SCTP-EST: 3600 seconds.
•
SCTP-SHUTDOWN: 30
seconds.
•
ICMPV6-REQUEST: 60
seconds.
•
ICMPV6-REPLY: 30 seconds.