Cisco ASA Series Cli Configuration Manual page 73

Chapter 1 Introduction to the Cisco ASA
Table 1-5 New Features for ASA Version 9.0(1)/ASDM Version 7.0(1) (continued)
Feature
Inspection reset action change
Increased maximum connection limits for
service policy rules
High Availability and Scalability Features
Description
Previously, when the ASA dropped a packet due to an inspection engine rule,
the ASA sent only one RST to the source device of the dropped packet. This
behavior could cause resource issues.
In this release, when you configure an inspection engine to use a reset action
and a packet triggers a reset, the ASA sends a TCP reset under the following
conditions:
•
The ASA sends a TCP reset to the inside host when the service
resetoutbound command is enabled. (The service resetoutbound
command is disabled by default.)
•
The ASA sends a TCP reset to the outside host when the service
resetinbound command is enabled. (The service resetinbound command
is disabled by default.)
For more information, see the service command in the ASA command
reference.
This behavior ensures that a reset action will reset the connections on the ASA
and on inside servers; therefore countering denial of service attacks. For
outside hosts, the ASA does not send a reset by default and information is not
revealed through a TCP reset.
Also available in 8.4(4.1).
The maximum number of connections for service policy rules was increased
from 65535 to 2000000.
We modified the following commands: set connection conn-max, set
connection embryonic-conn-max, set connection
per-client-embryonic-max, set connection per-client-max.
We modified the following screen: Configuration > Firewall > Service Policy
Rules > Connection Settings.
Also available in 8.4(5)
Cisco ASA Series CLI Configuration Guide
New Features
1-11