Filter
Top Products
27-21
Cisco ASDM User Guide
OL-16647-01
Chapter 27 Configuring Advanced Firewall Protection
Configuring TCP Options
Fields
• Inbound and Outbound Reset—Sets whether to reset denied TCP connections for inbound and
outbound traffic.
–
Interface—Shows the interface name.
–
Inbound Reset—Shows the interface reset setting for inbound TCP traffic, Yes or No. Enabling
this setting causes the security appliance to send TCP resets for all inbound TCP sessions that
attempt to transit the security appliance and are denied by the security appliance based on access
lists or AAA settings. Traffic between same security level interfaces is also affected. When this
option is not enabled, the security appliance silently discards denied packets.
–
Outbound Reset—Shows the interface reset setting for outbound TCP traffic, Yes or No.
Enabling this setting causes the security appliance to send TCP resets for all outbound TCP
sessions that attempt to transit the security appliance and are denied by the security appliance
based on access lists or AAA settings. Traffic between same security level interfaces is also
affected. When this option is not enabled, the security appliance silently discards denied
packets.
–
Edit—Sets the inbound and outbound reset settings for the interface.
• Other Options—Sets additional TCP options.
–
Send Reset Reply for Denied Outside TCP Packets—Enables resets for TCP packets that
terminate at the least secure interface and are denied by the security appliance based on access
lists or AAA settings. When this option is not enabled, the security appliance silently discards
denied packets. If you enable Inbound Resets for the least secure interface (see TCP Reset
Settings), then you do not also have to enable this setting; Inbound Resets handle to-the-security
appliance traffic as well as through the security appliance traffic.
–
Force Maximum Segment Size for TCP—Sets the maximum TCP segment size in bytes,
between 48 and any maximum number. The default value is 1380 bytes. You can disable this
feature by setting the bytes to 0. Both the host and the server can set the maximum segment size
when they first establish a connection. If either maximum exceeds the value you set here, then
the security appliance overrides the maximum and inserts the value you set. For example, if you
set a maximum size of 1200 bytes, when a host requests a maximum size of 1300 bytes, then
the security appliance alters the packet to request 1200 bytes.
–
Force Minimum Segment Size for TCP—Overrides the maximum segment size to be no less
than the number of bytes you set, between 48 and any maximum number. This feature is
disabled by default (set to 0). Both the host and the server can set the maximum segment size
when they first establish a connection. If either maximum is less than the value you set for the
Force Minimum Segment Size for TCP Proxy field, then the security appliance overrides the
maximum and inserts the “minimum” value you set (the minimum value is actually the smallest
maximum allowed). For example, if you set a minimum size of 400 bytes, if a host requests a
maximum value of 300 bytes, then the security appliance alters the packet to request 400 bytes.
–
Force TCP Connection to Linger in TIME_WAIT State for at Least 15 Seconds—Forces each
TCP connection to linger in a shortened TIME_WAIT state of at least 15 seconds after the final
normal TCP close-down sequence. You might want to use this feature if an end host application
default TCP terminating sequence is a simultaneous close. The default behavior of the security
appliance is to track the shutdown sequence and release the connection after two FINs and the
ACK of the last FIN segment. This quick release heuristic enables the security appliance to
sustain a high connection rate, based on the most common closing sequence, known as the
normal close sequence. However, in a simultaneous close, both ends of the transaction initiate
the closing sequence, as opposed to the normal close sequence where one end closes and the
other end acknowledges prior to initiating its own closing sequence (see RFC 793). Thus, in a
simultaneous close, the quick release forces one side of the connection to linger in the