Symptom
FTD not timing out idle connections after applying Threat Defense Service Policy
Conditions
Applied Threat Defense Service Policy with a non specific ACL nested in the class-map (e.g. permit ip any any) which has altered the idle timeout value to 1 hour (CLI example output below):
access-list test_acl permit ip any any <<<<
!
class-map class-map
match access-list test_acl
!
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
inspect ip-options UM_STATIC_IP_OPTIONS_MAP
class class_map
set connection timeout idle 1:00:00 <<<<<<<
Workaround
Apply a more specific ACL to narrow the field. For example, if we are looking to only decrement the TTL value of packets for traceroute we would configure a similar ACL to the below:
access-list test_acl permit icmp any any
Further Problem Description
