22-11
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 22 Configuring Connection Settings
Feature History for Connection Settings
Note When Authentication Absolute = 0, HTTPS authentication may not work. If a browser initiates
multiple TCP connections to load a web page after HTTPS authentication, the first connection
is permitted through, but subsequent connections trigger authentication. As a result, users are
continuously presented with an authentication page, even after successful authentication. To
work around this, set the authentication absolute timeout to 1 second. This workaround opens a
1-second window of opportunity that might allow non-authenticated users to go through the
firewall if they are coming from the same source IP address.
• Authentication inactivity—Modifies the idle time until the authentication cache times out and users
have to reauthenticate a new connection. This duration must be shorter than the Translation Slot
value.
• Translation Slot—Modifies the idle time until a translation slot is freed. This duration must be at
least 1 minute. The default is 3 hours. Enter 0:0:0 to disable the timeout.
• (8.4(3) and later, not including 8.5(1) and 8.6(1)) PAT Translation Slot—Modifies the idle time until
a PAT translation slot is freed, between 0:0:30 and 0:5:0. The default is 30 seconds. You may want
to increase the timeout if upstream routers reject new connections using a freed PAT port because
the previous connection might still be open on the upstream device.
Feature History for Connection Settings
Table 22-1 lists each feature change and the platform release in which it was implemented. ASDM is
backwards-compatible with multiple platform releases, so the specific ASDM release in which support
was added is not listed.
Table 22-1 Feature History for Connection Settings
Feature Name
Platform
Releases Feature Information
TCP state bypass 8.2(1) This feature was introduced. The following command was
introduced: set connection advanced-options
tcp-state-bypass.
Connection timeout for all protocols 8.2(2) The idle timeout was changed to apply to all protocols, not
just TCP.
The following screen was modified: Configuration >
Firewall > Service Policies > Rule Actions > Connection
Settings.
Timeout for connections using a backup static
route
8.2(5)/8.4(2) When multiple static routes exist to a network with different
metrics, the ASA uses the one with the best metric at the
time of connection creation. If a better route becomes
available, then this timeout lets connections be closed so a
connection can be reestablished to use the better route. The
default is 0 (the connection never times out). To take
advantage of this feature, change the timeout to a new value.
We modified the following screen: Configuration > Firewall
> Advanced > Global Timeouts.