Timeouts for TCP, UDP, and DNS
There are a number of timeouts in CBAC configuration. As the TCP is connection-oriented, it has a mechanism for tearing down the connections when the job is finis hed. So, leaving the TCP connection timeout values at the defaults (as shown in Table 5-3) is recommended unless otherwise required for certain applications.
However, UDP connections heavily rely on the CBAC timeout values, which are connectionless, and there is no mechanism to let the other party or the CBAC router know when the job is finished. Choosing an appropriate timeout value for UDP connections is very difficult. For UDP, generic UDP inspection simply creates a channel when it sees the first request packet from the client, and keeps that channel open until no traffic has been seen between the client and the server for a preset time. If you set the timeout for too short a time, you may kill certain types of connections prematurely. For example, a Network File System (NFS) may remain mounted across CBAC for a long time with no activity. As NFS is UDP based, the connection may time out prematurely due to a UDP session timeout on CBAC. Therefore, when NFS is called for on any activity, CBAC requires the rebuilding of the session. Performing NFS across CBAC or any firewall is strongly discouraged. And if you set the idle timeout for UDP too high, you may be accumulating a number of UDP sessions for nothing. The problem is even more serious when you have a DNS server on ISP and your client needs to make the entire DNS query to the ISP DNS server across the firewall. Luckily, the IOS Firewall has the option of setting up the timeout for DNS, which is much shorter than the generic UDP timeout.