61-4
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter61 Using Protection Tools
Configuring TCP Options
Force Minimum Segment Size for TCPOverrides the maximum segment size to be no less
than the number of bytes you set, between 48 and any maximum number. This feature is
disabled by default (set to 0). Both the host and the server can set the maximum segment size
when they first establish a connection. If either maximum is less than the value you set for the
Force Minimum Segment Size for TCP Proxy field, then the ASA overrides the maximum and
inserts the “minimum” value you set (the minimum value is actually the smallest maximum
allowed). For example, if you set a minimum size of 400 bytes, if a host requests a maximum
value of 300 bytes, then the ASA alters the packet to request 400 bytes.
Force TCP Connection to Linger in TIME_WAIT State for at Least 15 SecondsForces each
TCP connection to linger in a shortened TIME_WAIT state of at least 15 seconds after the final
normal TCP close-down sequence. You might want to use this feature if an end host application
default TCP terminating sequence is a simultaneous close. The default behavior of the ASA is
to track the shutdown sequence and release the connection after two FINs and the ACK of the
last FIN segment. This quick release heuristic enables the ASA to sustain a high connection rate,
based on the most common closing sequence, known as the normal close sequence. However,
in a simultaneous close, both ends of the transaction initiate the closing sequence, as opposed
to the normal close sequence where one end closes and the other end acknowledges prior to
initiating its own closing sequence (see RFC 793). Thus, in a simultaneous close, the quick
release forces one side of the connection to linger in the CLOSING state. Having many sockets
in the CLOSING state can degrade the performance of an end host. For example, some WinSock
mainframe clients are known to exhibit this behavior and degrade the performance of the
mainframe server. Using this feature creates a window for the simultaneous close down
sequence to complete.
TCP Reset Settings
The Configuration> Properties > TCP Options > TCP Reset Settings dialog box sets the inbound and
outbound reset settings for an interface.
Fields
Send Reset Reply for Denied Inbound TCP Packets—Sends TCP resets for all inbound TCP sessions
that attempt to transit the ASA and are denied by the ASA based on access lists or AAA settings.
Traffic between same security level interfaces is also affected. When this option is not enabled, the
ASA silently discards denied packets.
You might want to explicitly send resets for inbound traffic if you need to reset identity request
(IDENT) connections. When you send a TCP RST (reset flag in the TCP header) to the denied host,
the RST stops the incoming IDENT process so that you do not have to wait for IDENT to time out.
Waiting for IDENT to time out can cause traffic to slow because outside hosts keep retransmitting
the SYN until the IDENT times out, so the service resetinbound command might improve
performance.
Send Reset Reply for Denied Outbound TCP Packets—Sends TCP resets for all outbound TCP
sessions that attempt to transit the ASA and are denied by the ASA based on access lists or AAA
settings. Traffic between same security level interfaces is also affected. When this option is not
enabled, the ASA silently discards denied packets. This option is enabled by default. You might
want to disable outbound resets to reduce the CPU load during traffic storms, for example.