16-16
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 16 Connection Settings
Configure Connection Settings
• set connection random-sequence-number {enable | disable}—Whether to enable or disable TCP
sequence number randomization. Randomization is enabled by default.
Example:
hostname(config-pmap-c)# set connection conn-max 256 random-sequence-number disable
Step 4 Set connection timeouts and Dead Connection Detection (DCD).
The defaults described below assume you have not changed the global defaults for these behaviors using
the timeout command; the global defaults override the ones described here. Enter 0 to disable the timer,
so that a connection never times out.
• set connection timeout embryonic hh:mm:ss—The timeout period until a TCP embryonic
(half-open) connection is closed, between 0:0:5 and 1193:00:00. The default is 0:0:30.
• set connection idle hh:mm:ss [reset]—The idle timeout period after which an established
connection of any protocol closes, between 0:0:1 and 1193:0:0. The default is 1:0:0. For TCP traffic,
the reset keyword sends a reset to TCP endpoints when the connection times out.
The default udp idle timeout is 2 minutes. The default icmp idle timeout is 2 seconds. The default
esp and ha idle timeout is 30 seconds. For all other protocols, the default idle timeout is 2 minutes.
• set connection half-closed hh:mm:ss—The idle timeout period until a half-closed connection is
closed, between 0:5:0 (for 9.1(1) and earlier) or 0:0:30 (for 9.1(2) and later) and 1193:0:0. The
default is 0:10:0. Half-closed connections are not affected by DCD. Also, the ASA does not send a
reset when taking down half-closed connections.
• set connection dcd [retry-interval [max_retries]]—Enable Dead Connection Detection (DCD).
Before expiring an idle connection, the ASA probes the end hosts to determine if the connection is
valid. If both hosts respond, the connection is preserved, otherwise the connection is freed.
The retry-interval sets the time duration in hh:mm:ss format to wait after each unresponsive DCD
probe before sending another probe, between 0:0:1 and 24:0:0. The default is 0:0:15. The
max-retries sets the number of consecutive failed retries for DCD before declaring the connection
as dead. The minimum value is 1 and the maximum value is 255. The default is 5.
Example:
hostname(config-pmap-c)# set connection timeout idle 2:0:0 embryonic 0:40:0
half-closed 0:20:0 dcd
Step 5 Decrement time-to-live (TTL) on packets that match the class.
set connection decrement-ttl
This command, along with the icmp unreachable command, is required to allow a traceroute through
the ASA that shows the ASA as one of the hops.
Example:
hostname(config)# class-map global-policy
hostname(config-cmap)# match any
hostname(config-cmap)# exit
hostname(config)# policy-map global_policy
hostname(config-pmap)# class global-policy
hostname(config-pmap-c)# set connection decrement-ttl
hostname(config-pmap-c)# exit
hostname(config)# icmp unreachable rate-limit 50 burst-size 6
Step 6 Customize TCP Normalizer behavior by applying a TCP map.
set connection advanced-options tcp-map-name
Example:
To Next Page
Loading...
