22-11
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter22 Configuring Connection Settings
Feature History for Connection Settings
Note When Authentication Absolute = 0, HTTPS authentication may not work. If a browser initiates
multiple TCP connections to load a web page after HTTPS authentication, the first connection
is permitted through, but subsequent connections trigger authentication. As a result, users are
continuously presented with an authentication page, even after successful authentication. To
work around this, set the authentication absolute timeout to 1 second. This workaround opens a
1-second window of opportunity that might allow non-authenticated users to go through the
firewall if they are coming from the same source IP address.
Authentication inactivity—Modifies the idle time until the authentication cache times out and users
have to reauthenticate a new connection. This duration must be shorter than the Translation Slot
value.
Translation Slot—Modifies the idle time until a translation slot is freed. This duration must be at
least 1 minute. The default is 3 hours. Enter 0:0:0 to disable the timeout.
(8.4(3) and later, not including 8.5(1) and 8.6(1)) PAT Translation Slot—Modifies the idle time until
a PAT translation slot is freed, between 0:0:30 and 0:5:0. The default is 30 seconds. You may want
to increase the timeout if upstream routers reject new connections using a freed PAT port because
the previous connection might still be open on the upstream device.
Feature History for Connection Settings
Table22-1 lists each feature change and the platform release in which it was implemented. ASDM is
backwards-compatible with multiple platform releases, so the specific ASDM release in which support
was added is not listed.
Table22-1 Feature History for Connection Settings
Feature Name
Platform
Releases Feature Information
TCP state bypass 8.2(1) This feature was introduced. The following command was
introduced: set connection advanced-options
tcp-state-bypass.
Connection timeout for all protocols 8.2(2) The idle timeout was changed to apply to all protocols, not
just TCP.
The following screen was modified: Configuration >
Firewall > Service Policies > Rule Actions > Connection
Settings.
Timeout for connections using a backup static
route
8.2(5)/8.4(2) When multiple static routes exist to a network with different
metrics, the ASA uses the one with the best metric at the
time of connection creation. If a better route becomes
available, then this timeout lets connections be closed so a
connection can be reestablished to use the better route. The
default is 0 (the connection never times out). To take
advantage of this feature, change the timeout to a new value.
We modified the following screen: Configuration > Firewall
> Advanced > Global Timeouts.