February 8, 2013 ahydle

Exchange ActiveSync and the Cisco ASA HTTPS Timeout

If you are running Exchange ActiveSync behind a Cisco ASA firewall you may receive Event ID: 1040 in your application event log. The event basically says:

The average of the most recent heartbeat intervals [470] for request [Sync] used by clients is less than or equal to [540].
Make sure that your firewall configuration is set to work correctly with Exchange ActiveSync and direct push technology. Specifically, make sure that your firewall is configured so that requests to Exchange ActiveSync do not expire before they have the opportunity to be processed.

To resolve this error we can bump up the timeout for http connections in the ASA by creating a policy map:

First, lets identify the server as a network object.

object network EXCHANGE_SERVER

Next we will define an access list to identify the traffic.

access-list AS-HTTPS permit tcp any object EXCHANGE_SERVER eq 443

Tie the access list to a class map.

class-map AS-HTTPS
match access-list AS-HTTPS

Lastly we tie it all together by applying it to global policy. You can set the timeout to a different value but from what I read the minimum you will probably want is 30 minutes. The “set connection timeout half-closed” takes a value of hh:mm:ss.

policy-map global_policy
class AS-HTTPS
set connection timeout half-closed 0:30:0
, , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *