[tor-relays] Cisco ASA

[starlight.2013q4 at binnacle.cx]

For anyone running a Cisco ASA between
their 'tor' relay and the Internet,
some potentially useful info:

The default ASA connection timeout is
short and often results in 'telnet'
sessions through VPN tunnels getting
whacked.  So one might add

   timeout conn 48:00:00

to a config to mitigate that issue.

However a busy 'tor' relay instance
will rapidly accumulate large numbers
of dead connection table entries due
to loss of FIN packets from flaky
corners of Internet.

I'm not 100% sure about this, but it
seems these dead connection table entries
can impair the formation of new connections,
not to mention the obvious potential
for excessive memory consumption on
the ASA.

The solution is:

   access-list tor-class extended permit tcp any host X.X.X.X
   access-list tor-class extended permit tcp host X.X.X.X any

where X.X.X.X is the 'inside' server running 'tor'

   class-map tor
    match access-list tor-class

   policy-map outside                    
    class tor                            
     set connection timeout idle 0:06:00

As 'tor' sockets have a default

   KeepalivePeriod 300

any connection with an idle time
of more than five minutes is a dead
duck and can safely be removed.  Checked this
out carefully.  The comment above was inspired
by a seeming performance boost and increase
in connections observed after the change
was made, not by direct traffic analysis.
Could be coincidental.

The way to verify it's working is with the

   show conn addr X.X.X.X long

command, which includes the idle timeout
associated with each connection.

If one has other services running on the
same box as 'tor', it might be necessary
to adjust the 'access-list' to take them
into account.