Filter
Top Products
56-21
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 56 Configuring Service Policy Rules on Firewall Devices
Configuring TCP Maps
Queue Limit
(ASA devices only)
The maximum number of out-of-order packets that can be buffered and
put in order for a TCP connection; enter a value between 1 and 250.
Enter 0 to disable this setting and use the default system queue limit,
which depends on the type of traffic:
• Connections for application inspection, IPS, and TCP
check-retransmission have a queue limit of 3 packets. If the
security appliance receives a TCP packet with a different window
size, then the queue limit is dynamically changed to match the
advertised setting.
• For other TCP connections, out-of-order packets are passed
through untouched.
However, if you set the Queue Limit to 1 or higher, the number of
out-of-order packets allowed for all TCP traffic matches the specified
value. For application inspection, IPS, and TCP check-retransmission
traffic, any advertised settings are ignored. For other TCP traffic,
out-of-order packets are now buffered and put in order instead of passed
through untouched.
Time Out
(ASA 7.2(4)+ devices only)
The maximum amount of time that out-of-order packets can remain in
the buffer before they are dropped; enter a value between 1 and 20
seconds. The default is 4 seconds.
This setting is ignored if you entered 0 for the Queue Limit.
Verify TCP Checksum If checked, checksum verification is enabled.
Drop SYN Packets with Data If checked, TCP SYN packets that include data are dropped.
Drop Connection on Window
Variation
If checked, connections that change window size unexpectedly are
dropped.
Drop Packets that Exceed
Maximum Segment Size
If checked, packets that exceed the maximum segment size (MSS) set
by a peer are dropped.
Check if Transmitted Data is
the Same as Original
If checked, retransmit data checking is enabled.
Clear Urgent Flag If checked, the URG (urgent) flag is cleared through the security
appliance. The URG flag is used to indicate that the packet contains
information that is of higher priority than other data within the stream.
The TCP RFC is vague about the exact interpretation of the URG flag;
therefore end systems handle urgent offsets in different ways, which
may make the end system vulnerable.
Clear Selective Ack Whether the selective acknowledgment mechanism (SACK) option is
cleared or allowed.
Clear TCP Timestamp Whether the timestamp option, which disables PAWS and RTT, is
cleared or allowed.
Clear Window Scale Whether the window scale timestamp option is cleared or allowed.
Table 56-7 Add and Edit TCP Map Dialog Boxes (Continued)
Element Description