22-9
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 22 Configuring Connection Settings
Configuring Connection Settings
• Send reset to TCP endpoints before timeout—Specifies that the ASA should send a TCP reset
message to the endpoints of the connection before freeing the connection slot.
• Embryonic Connection Timeout—Specifies the idle time until an embryonic (half-open) connection
slot is freed. Enter 0:0:0 to disable timeout for the connection. The default is 30 seconds.
• Half Closed Connection Timeout—Sets the idle timeout period until a half-closed connection is
closed, between 0:5:0 (for 9.1(1) and earlier) or 0:0:30 (for 9.1(2) and later) and 1193:0:0. The
default is 0:10:0. Half-closed connections are not affected by DCD. Also, the ASA does not send a
reset when taking down half-closed connections.
Step 5 To disable randomized sequence numbers, uncheck Randomize Sequence Number.
TCP initial sequence number randomization can be disabled if another in-line firewall is also
randomizing the initial sequence numbers, because there is no need for both firewalls to be performing
this action. However, leaving ISN randomization enabled on both firewalls does not affect the traffic.
Each TCP connection has two ISNs: one generated by the client and one generated by the server. The
security appliance randomizes the ISN of the TCP SYN passing in the outbound direction. If the
connection is between two interfaces with the same security level, then the ISN will be randomized in
the SYN in both directions.
Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new
connection and potentially hijacking the new session.
Step 6 To configure TCP normalization, check Use TCP Map. Choose an existing TCP map from the
drop-down list (if available), or add a new one by clicking New.
The Add TCP Map dialog box appears. See the “Customizing the TCP Normalizer with a TCP Map”
section on page 22-6.
Step 7 Click OK.
Step 8 To set the time to live, check Decrement time to live for a connection.
Step 9 To enable TCP state bypass, in the Advanced Options area, check TCP State Bypass.
Step 10 Click OK or Finish.
Configuring Global Timeouts
The Configuration > Firewall > Advanced > Global Timeouts pane lets you set the timeout durations for
use with the ASA. All durations are displayed in the format hh:mm:ss. It sets the idle time for the
connection and translation slots of various protocols. If the slot has not been used for the idle time
specified, the resource is returned to the free pool. TCP connection slots are freed approximately 60
seconds after a normal connection close sequence.
Fields
In all cases, except for Authentication absolute and Authentication inactivity, unchecking the check
boxes means there is no timeout value. For those two cases, clearing the check box means to
reauthenticate on every new connection.
• Connection—Modifies the idle time until a connection slot is freed. Enter 0:0:0 to disable timeout
for the connection. This duration must be at least 5 minutes. The default is 1 hour.
• Half-closed—Modifies the idle time until a TCP half-closed connection closes. The minimum is 5
minutes. The default is 10 minutes. Enter 0:0:0 to disable timeout for a half-closed connection.