22-6
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 22 Configuring Connection Settings
Configuring Connection Settings
Configuring Connection Settings
This section includes the following topics:
• Customizing the TCP Normalizer with a TCP Map, page 22-6
• Configuring Connection Settings, page 22-8
• Configuring Global Timeouts, page 22-9
Task Flow For Configuring Connection Settings
Step 1 For TCP normalization customization, create a TCP map according to the “Customizing the TCP
Normalizer with a TCP Map” section on page 22-6.
Step 2 For all connection settings except for global timeouts, configure a service policy according to Chapter 1,
“Configuring a Service Policy.”
Step 3 Configure connection settings according to the “Configuring Connection Settings” section on page 22-8.
Step 4 Configure global timeouts according to the “Configuring Global Timeouts” section on page 22-9.
Customizing the TCP Normalizer with a TCP Map
To customize the TCP normalizer, first define the settings using a TCP map.
Detailed Steps
Step 1 Choose the Configuration > Firewall > Objects > TCP Maps pane, and click Add.
The Add TCP Map dialog box appears.
Step 2 In the TCP Map Name field, enter a name.
Step 3 In the Queue Limit field, enter the maximum number of out-of-order packets, between 0 and 250 packets.
The Queue Limit sets the maximum number of out-of-order packets that can be buffered and put in order
for a TCP connection. The default is 0, which means this setting is disabled and the default system queue
limit is used depending on the type of traffic:
• Connections for application inspection, IPS, and TCP check-retransmission have a queue limit of 3
packets. If the ASA receives a TCP packet with a different window size, then the queue limit is
dynamically changed to match the advertised setting.
• For other TCP connections, out-of-order packets are passed through untouched.
If you set the Queue Limit to be 1 or above, then the number of out-of-order packets allowed for all TCP
traffic matches this setting. For example, for application inspection, IPS, and TCP check-retransmission
traffic, any advertised settings from TCP packets are ignored in favor of the Queue Limit setting. For
other TCP traffic, out-of-order packets are now buffered and put in order instead of passed through
untouched.
Step 4 In the Timeout field, set the maximum amount of time that out-of-order packets can remain in the buffer,
between 1 and 20 seconds.