52-4
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 52 Using Protection Tools
Configuring TCP Options
the adaptive security appliance overrides the maximum and inserts the value you set. For
example, if you set a maximum size of 1200 bytes, when a host requests a maximum size of
1300 bytes, then the adaptive security appliance alters the packet to request 1200 bytes.
–
Force Minimum Segment Size for TCP—Overrides the maximum segment size to be no less
than the number of bytes you set, between 48 and any maximum number. This feature is
disabled by default (set to 0). Both the host and the server can set the maximum segment size
when they first establish a connection. If either maximum is less than the value you set for the
Force Minimum Segment Size for TCP Proxy field, then the adaptive security appliance
overrides the maximum and inserts the “minimum” value you set (the minimum value is actually
the smallest maximum allowed). For example, if you set a minimum size of 400 bytes, if a host
requests a maximum value of 300 bytes, then the adaptive security appliance alters the packet
to request 400 bytes.
–
Force TCP Connection to Linger in TIME_WAIT State for at Least 15 Seconds—Forces each
TCP connection to linger in a shortened TIME_WAIT state of at least 15 seconds after the final
normal TCP close-down sequence. You might want to use this feature if an end host application
default TCP terminating sequence is a simultaneous close. The default behavior of the adaptive
security appliance is to track the shutdown sequence and release the connection after two FINs
and the ACK of the last FIN segment. This quick release heuristic enables the adaptive security
appliance to sustain a high connection rate, based on the most common closing sequence, known
as the normal close sequence. However, in a simultaneous close, both ends of the transaction
initiate the closing sequence, as opposed to the normal close sequence where one end closes and
the other end acknowledges prior to initiating its own closing sequence (see RFC 793). Thus, in
a simultaneous close, the quick release forces one side of the connection to linger in the
CLOSING state. Having many sockets in the CLOSING state can degrade the performance of
an end host. For example, some WinSock mainframe clients are known to exhibit this behavior
and degrade the performance of the mainframe server. Using this feature creates a window for
the simultaneous close down sequence to complete.
TCP Reset Settings
The Configuration > Properties > TCP Options > TCP Reset Settings dialog box sets the inbound and
outbound reset settings for an interface.
Fields
• Send Reset Reply for Denied Inbound TCP Packets—Sends TCP resets for all inbound TCP sessions
that attempt to transit the adaptive security appliance and are denied by the adaptive security
appliance based on access lists or AAA settings. Traffic between same security level interfaces is
also affected. When this option is not enabled, the adaptive security appliance silently discards
denied packets.
You might want to explicitly send resets for inbound traffic if you need to reset identity request
(IDENT) connections. When you send a TCP RST (reset flag in the TCP header) to the denied host,
the RST stops the incoming IDENT process so that you do not have to wait for IDENT to time out.
Waiting for IDENT to time out can cause traffic to slow because outside hosts keep retransmitting
the SYN until the IDENT times out, so the service resetinbound command might improve
performance.
• Send Reset Reply for Denied Outbound TCP Packets—Sends TCP resets for all outbound TCP
sessions that attempt to transit the adaptive security appliance and are denied by the adaptive
security appliance based on access lists or AAA settings. Traffic between same security level
To Next Page
Loading...
Need help?
General
