For anyone running a Cisco ASA between their 'tor' relay and the Internet, some potentially useful info:

The default ASA connection timeout is short and often results in 'telnet' sessions through VPN tunnels getting whacked. So one might add

timeout conn 48:00:00

to a config to mitigate that issue.

However a busy 'tor' relay instance will rapidly accumulate large numbers of dead connection table entries due to loss of FIN packets from flaky corners of Internet.

I'm not 100% sure about this, but it seems these dead connection table entries can impair the formation of new connections, not to mention the obvious potential for excessive memory consumption on the ASA.

The solution is:

access-list tor-class extended permit tcp any host X.X.X.X access-list tor-class extended permit tcp host X.X.X.X any

where X.X.X.X is the 'inside' server running 'tor'

class-map tor match access-list tor-class

policy-map outside class tor set connection timeout idle 0:06:00

As 'tor' sockets have a default

KeepalivePeriod 300

any connection with an idle time of more than five minutes is a dead duck and can safely be removed. Checked this out carefully. The comment above was inspired by a seeming performance boost and increase in connections observed after the change was made, not by direct traffic analysis. Could be coincidental.

The way to verify it's working is with the

show conn addr X.X.X.X long

command, which includes the idle timeout associated with each connection.

If one has other services running on the same box as 'tor', it might be necessary to adjust the 'access-list' to take them into account.