Configuring TCP Idle Timeout Action
To configure the TCP Idle timeout action, use the following configuration:
configure
active-charging service service_name
fw-and-nat policy policy_name
firewall tcp-idle-timeout-action { drop | reset }
end
NOTES:
-
firewall tcp-idle-timeout-action { drop | reset } —Specify the Stateful Firewall action to be taken on TCP idle timer expiry.
-
drop —Subscriber flow will be cleared or dropped without sending a reset on TCP timeout expiry.
-
reset —Specify to send a reset on TCP timeout expiry. This is the default value.
-
-
The firewall tcp-idle-timeout-action reset CLI command is applicable only to firewall.
-
UPF does not support flow mapping.
Along with the preceding service configuration, the following configuration is the default CLI behavior of various Firewall-related CLI within the service.
Dos-Protection:
Source-Route : Disabled
Win-Nuke : Disabled
Mime-Flood : Disabled
FTP-Bounce : Disabled
IP-Unaligned-Timestamp : Disabled
Seq-Number-Prediction : Disabled
TCP-Window-Containment : Disabled
Teardrop : Disabled
UDP Flooding : Disabled
ICMP Flooding : Disabled
SYN Flooding : Disabled
Port Scan : Disabled
IPv6 Extension Headers Limit : Disabled
IPv6 Hop By Hop Options : Disabled
Hop By Hop Router Alert Option : Disabled
Hop By Hop Jumbo Payload Option : Disabled
Invalid Hop By Hop Options : Disabled
Unknown Hop By Hop Options : Disabled
IPv6 Destination Options : Disabled
Invalid Destination Options : Disabled
Unknown Destination Options : Disabled
IPv6 Nested Fragmentation : Disabled
Max-Packet-Size:
ICMP : 65535
Non-ICMP : 65535
Flooding:
ICMP limit : 1000
UDP limit : 1000
TCP-SYN limit : 1000
Sampling Interval : 1
TCP-SYN Flood Intercept:
Mode : None
Max-Attempts : 5
Retrans-timeout : 60
Watch-timeout : 30
Mime-Flood Params:
HTTP Header-Limit : 16
HTTP Max-Header-Field-Size : 4096
No Firewall Ruledef Match Action:
Uplink Action : permit
Downlink Action : deny
TCP RST Message Threshold : Disabled
ICMP Dest-Unreachable Threshold : Disabled
Action upon receiving TCP SYN packet with ECN/CWR Flag set : Permit
Action upon receiving a malformed packet : Deny
Action upon IP Reassembly Failure : Deny
Action upon receiving an IP packet with invalid Options : Permit
Action upon receiving a TCP packet with invalid Options : Permit
Action upon receiving an ICMP packet with invalid Checksum: Deny
Action upon receiving a TCP packet with invalid Checksum: Deny
Action upon receiving an UDP packet with invalid Checksum: Deny
Action upon receiving an ICMP echo packet with id zero : Permit
TCP Stateful Checks : Enabled
First Packet Non-SYN Action: Drop
ICMP Stateful Checks: Enabled
TCP Partial Connection Timeout: 30