Connection Settings; What Are Connection Settings - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Connection Settings
This chapter describes how to configure connection settings for connections that go through the ASA,
or for management connections that go to the ASA.
•
•
•
•
What Are Connection Settings?
Connection settings comprise a variety of features related to managing traffic connections, such as a TCP
flow through the ASA. Some features are named components that you would configure to supply specific
services.
Connection settings include the following:
•
•
•
•
What Are Connection Settings?, page 16-1
Configure Connection Settings, page 16-2
Monitoring Connections, page 16-17
History for Connection Settings, page 16-18
Global timeouts for various protocols—All global timeouts have default values, so you need to
change them only if you are experiencing premature connection loss.
Connection timeouts per traffic class—You can override the global timeouts for specific types of
traffic using service policies. All traffic class timeouts have default values, so you do not have to set
them.
Connection limits and TCP Intercept—By default, there are no limits on how many connections
can go through (or to) the ASA. You can set limits on particular traffic classes using service policy
rules to protect servers from denial of service (DoS) attacks. Particularly, you can set limits on
embryonic connections (those that have not finished the TCP handshake), which protects against
SYN flooding attacks. When embryonic limits are exceeded, the TCP Intercept component gets
involved to proxy connections and ensure that attacks are throttled.
Dead Connection Detection (DCD)—If you have persistent connections that are valid but often
idle, so that they get closed because they exceed idle timeout settings, you can enable Dead
Connection Detection to identify idle but valid connections and keep them alive (by resetting their
idle timers). Whenever idle times are exceeded, DCD probes both sides of the connection to see if
both sides agree the connection is valid. The show service-policy command includes counters to
show the amount of activity from DCD.
C H A P T E R
Cisco ASA Series Firewall CLI Configuration Guide
16
16-1
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
