Turns out the timing-out will occur in the masquerade module. And I read one article saying you can't set it! (you probably can if you recompile the kernel, but it seems to imply that it is not exposed as a setting in /proc.
There is a way to regulate timeouts with ipfwadmin and/or ipchains, but I don't believe that impacts (the newer) iptables, which is what Astaro uses (somebody check me on that...).
Can anybody else here speak to masquerade timeouts and iptables? (You are masquerading, right?)
You can alter the normal Linux TCP/IP stack in /proc/sys/net/ipv4 but as stated that wont affect the netfilter.
Not fluent in hardcore netfilter hacking but I did some reading [:)]n /usr/src/linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c can be altered. See /usr/src/linux/Documentation/networking/ip-sysctl.txt for more details.
Apperently there is a patch available for this that will allow you to tune it in /proc/sys/net/ipv4/netfilter/ tcp-window-tracking
So I guess the hacker section will be the next step
