Filter
Top Products
27-6
Cisco ASDM User Guide
OL-16647-01
Chapter 27 Configuring Advanced Firewall Protection
Configuring Connection Settings
Configuring Connection Settings
This section describes how to set maximum TCP and UDP connections, maximum embryonic
connections, maximum per-client connections, connection timeouts, dead connection detection, and how
to disable TCP sequence randomization. This section also describes how to configure TCP
normalization. The TCP normalization feature identifies abnormal packets that the security appliance
can act on when they are detected; for example, the security appliance can allow, drop, or clear the
packets. TCP normalization helps protect the security appliance from attacks.
This section includes the following topics:
• Connection Limit Overview, page 27-6
• TCP Normalization Overview, page 27-7
• Enabling Connection Limits and TCP Normalization, page 27-7
Note You can also configure maximum connections, maximum embryonic connections, and TCP sequence
randomization in the NAT configuration. If you configure these settings for the same traffic using both
methods, then the security appliance uses the lower limit. For TCP sequence randomization, if it is
disabled using either method, then the security appliance disables TCP sequence randomization.
Connection Limit Overview
This section describes why you might want to limit connections, and includes the following topics:
• TCP Intercept Overview, page 27-6
• Disabling TCP Intercept for Management Packets for Clientless SSL VPN Compatibility, page 27-6
• Dead Connection Detection Overview, page 27-7
• TCP Sequence Randomization Overview, page 27-7
TCP Intercept Overview
Limiting the number of embryonic connections protects you from a DoS attack. The security appliance
uses the per-client limits and the embryonic connection limit to trigger TCP Intercept, which protects
inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An
embryonic connection is a connection request that has not finished the necessary handshake between
source and destination. TCP Intercept uses the SYN cookies algorithm to prevent TCP SYN-flooding
attacks. A SYN-flooding attack consists of a series of SYN packets usually originating from spoofed IP
addresses. The constant flood of SYN packets keeps the server SYN queue full, which prevents it from
servicing connection requests. When the embryonic connection threshold of a connection is crossed, the
security appliance acts as a proxy for the server and generates a SYN-ACK response to the client SYN
request. When the security appliance receives an ACK back from the client, it can then authenticate the
client and allow the connection to the server.
Disabling TCP Intercept for Management Packets for Clientless SSL VPN Compatibility
By default, TCP management connections have TCP Intercept always enabled. When TCP Intercept is
enabled, it intercepts the 3-way TCP connection establishment handshake packets and thus deprives the
security appliance from processing the packets for Clientless (browser-based) SSL VPN. Clientless SSL