11-4
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 11 Connection Settings
Configure Connection Settings
•
timeout sip-provisional-media
hh
:
mm
:
ss
—The timeout value for SIP provisional media
connections, between 0:1:0 and 1193:0:0. The default is 2 minutes.
•
timeout sip-invite
hh
:
mm
:
ss
—The idle time after which pinholes for PROVISIONAL responses and
media xlates will be closed, between 0:1:0 and 00:30:0. The default is 3 minutes (0:3:0).
•
timeout sip-disconnect
hh
:
mm
:
ss
—The idle time after which a SIP session is deleted if the 200 OK
is not received for a CANCEL or a BYE message, between 0:0:1 and 00:10:0. The default is 2
minutes (0:2:0).
•
timeout uauth
hh
:
mm
:
ss
{
absolute
|
inactivity
}—The duration before the authentication and
authorization cache times out and the user has to reauthenticate the next connection, between 0:0:0
and 1193:0:0. The default is 5 minutes (0:5:0). The default timer is
absolute
; you can set the timeout
to occur after a period of inactivity by entering the
inactivity
keyword. The uauth duration must be
shorter than the xlate duration. Set to 0 to disable caching. Do not use 0 if passive FTP is used for
the connection or if the virtual http command is used for web authentication.
•
timeout xlate
hh
:
mm
:
ss
—The idle time until a translation slot is freed. This duration must be at least
1 minute. The default is 3 hours.
•
timeout tcp-proxy-reassembly
hh
:
mm
:
ss
—The idle timeout after which buffered packets waiting
for reassembly are dropped, between 0:0:10 and 1193:0:0. The default is 1 minute (0:1:0).
•
timeout floating-conn
hh
:
mm
:
ss
—When multiple static routes exist to a network with different
metrics, the ASA uses the one with the best metric at the time of connection creation. If a better
route becomes available, then this timeout lets connections be closed so a connection can be
reestablished to use the better route. The default is 0 (the connection never times out). To take
advantage of this feature, change the timeout to a new value between 0:1:0 and 1193:0:0.
•
timeout pat-xlate
hh
:
mm
:
ss
—The idle time until a PAT translation slot is freed, between 0:0:30 and
0:5:0. The default is 30 seconds. You may want to increase the timeout if upstream routers reject
new connections using a freed PAT port because the previous connection might still be open on the
upstream device.
Protect Servers from a SYN Flood DoS Attack (TCP Intercept)
A SYN-flooding denial of service (DoS) attack occurs when an attacker sends a series of SYN packets
to a host. These packets usually originate from spoofed IP addresses. The constant flood of SYN packets
keeps the server SYN queue full, which prevents it from servicing connection requests from legitimate
users.
You can limit the number of embryonic connections to help prevent SYN flooding attacks. An embryonic
connection is a connection request that has not finished the necessary handshake between source and
destination.
When the embryonic connection threshold of a connection is crossed, the ASA acts as a proxy for the
server and generates a SYN-ACK response to the client SYN request using the SYN cookie method (see
Wikipedia for details on SYN cookies). When the ASA receives an ACK back from the client, it can then
authenticate that the client is real and allow the connection to the server. The component that performs
the proxy is called TCP Intercept.
Summary of Contents for ASA 5512-X
Page 5: ...P A R T 1 Service Policies and Access Control ...
Page 6: ......
Page 51: ...P A R T 2 Network Address Translation ...
Page 52: ......
Page 127: ...P A R T 3 Application Inspection ...
Page 128: ......
Page 255: ...P A R T 4 Connection Settings and Quality of Service ...
Page 256: ......
Page 303: ...P A R T 5 Advanced Network Protection ...
Page 304: ......
Page 339: ...P A R T 6 ASA Modules ...
Page 340: ......