Support User Manuals

Cisco Systems OL-16647-01 Network Router User Manual

Open as PDF

of 1230

27-22

Cisco ASDM User Guide

OL-16647-01

Chapter 27 Configuring Advanced Firewall Protection

Configuring TCP Options

CLOSING state. Having many sockets in the CLOSING state can degrade the performance of

an end host. For example, some WinSock mainframe clients are known to exhibit this behavior

and degrade the performance of the mainframe server. Using this feature creates a window for

the simultaneous close down sequence to complete.

Modes

The following table shows the modes in which this feature is available:

TCP Reset Settings

This dialog box sets the inbound and outbound reset settings for an interface.

Fields

• Send Reset Reply for Denied Inbound TCP Packets—Sends TCP resets for all inbound TCP sessions

that attempt to transit the security appliance and are denied by the security appliance based on access

lists or AAA settings. Traffic between same security level interfaces is also affected. When this

option is not enabled, the security appliance silently discards denied packets.

You might want to explicitly send resets for inbound traffic if you need to reset identity request

(IDENT) connections. When you send a TCP RST (reset flag in the TCP header) to the denied host,

the RST stops the incoming IDENT process so that you do not have to wait for IDENT to time out.

Waiting for IDENT to time out can cause traffic to slow because outside hosts keep retransmitting

the SYN until the IDENT times out, so the service resetinbound command might improve

performance.

• Send Reset Reply for Denied Outbound TCP Packets—Sends TCP resets for all outbound TCP

sessions that attempt to transit the security appliance and are denied by the security appliance based

on access lists or AAA settings. Traffic between same security level interfaces is also affected. When

this option is not enabled, the security appliance silently discards denied packets. This option is

enabled by default. You might want to disable outbound resets to reduce the CPU load during traffic

storms, for example.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode Security Context

Routed Transparent Single

Multiple

Context System

• • • •—

Firewall Mode Security Context

Routed Transparent Single

Multiple

Context System

• • • •—

previous next