15-6
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 15 Inspection of Database, Directory, and Management Protocols
GTP Inspection
The SGSN is logically connected to a GGSN using GTP. GTP allows multiprotocol packets to be
tunneled through the GPRS backbone between GSNs. GTP provides a tunnel control and management
protocol that allows the SGSN to provide GPRS network access for a mobile station by creating,
modifying, and deleting tunnels. GTP uses a tunneling mechanism to provide a service for carrying user
data packets.
Note When using GTP with failover, if a GTP connection is established and the active unit fails before data
is transmitted over the tunnel, the GTP data connection (with a “j” flag set) is not replicated to the
standby unit. This occurs because the active unit does not replicate embryonic connections to the standby
unit.
Defaults for GTP Inspection
GTP inspection is not enabled by default. However, if you enable it without specifying your own
inspection map, a default map is used which provides the following processing. You need to configure a
map only if you want different values.
• Errors are not permitted.
• The maximum number of requests is 200.
• The maximum number of tunnels is 500.
• The GSN timeout is 30 minutes.
• The PDP context timeout is 30 minutes.
• The request timeout is 1 minute.
• The signaling timeout is 30 minutes.
• The tunneling timeout is 1 hour.
• The T3 response timeout is 20 seconds.
• Unknown message IDs are dropped and logged.
Configure GTP Inspection
GTP inspection is not enabled by default. You must configure it if you want GTP inspection.
Procedure
Step 1 Configure a GTP Inspection Policy Map, page 15-7.
Step 2 Configure the GTP Inspection Service Policy, page 15-9.
Step 3 (Optional) Configure RADIUS accounting inspection to protect against over-billing attacks. See ILS
Inspection, page 15-12.
To Next Page
Loading...
Need help?
General