Cisco ASA Series Command Reference, T - Z Commands and IOS Commands for the ASASM
table-map through title commands
Downloads: This chapterpdf (PDF - 592.0KB) The complete bookPDF (PDF - 2.97MB) | The complete bookePub (ePub - 264.0KB) | The complete bookMobi (Mobi - 316.0KB) | Feedback

Table of Contents

table-map through title Commands

table-map

tcp-map

tcp-options

telnet

telnet timeout

terminal

terminal pager

terminal width

test aaa-server

test aaa-server ad-agent

test dynamic-access-policy attributes

test dynamic-access-policy execute

test regex

test sso-server

text-color

tftp-server

tftp-server address

threat-detection basic-threat

threat-detection rate

threat-detection scanning-threat

threat-detection statistics

threshold

ticket

timeout

timeout (aaa-server host)

timeout (dns-server-group configuration mode)

timeout (gtp-map)

timeout (radius-accounting)

timeout (sla monitor)

timeout pinhole

timers bgp

ime-range

timeout secure-phones

timers lsa arrival

timers lsa-group-pacing (OSPFv2)

timers pacing flood (OSPFv3)

timers pacing lsa-group (OSPFv3)

timers pacing retransmission (OSPFv3)

timers spf

timers throttle lsa

timers throttle lsa

title

table-map through title Commands

table-map

To modify metric and tag values when the IP routing table is updated with BGP learned routes, use the table-map command in address family configuration mode. To disable this function, use the no form of the command.

table-map map_name

no table-map map_name

 
Syntax Description

map_name

Route map name from the route-map command.

 
Defaults

This command is disabled by default.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Address family configuration

  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

9.2(1)

This command was introduced.

 
Usage Guidelines

This command adds the route map name defined by the route-map command to the IP routing table. This command is used to set the tag name and the route metric to implement redistribution.

You can use match clauses of route maps in the table-map command. IP access list, autonomous system paths, and next hop match clauses are supported.

Examples

In the following address family configuration mode example, the ASA software is configured to automatically compute the tag value for the BGP learned routes and to update the IP routing table:

ciscoasa(config)# route-map tag
ciscoasa(config-route-map)# match as path 10
ciscoasa(config-route-map)# set automatic-tag
ciscoasa(config)# router bgp 100
ciscoasa(config-router)# address-family ipv4 unicast
ciscoasa(config-router-af)# table-map tag
 

 
Related Commands

Command
Description

address-family

Enters the address-family configuration mode.

route-map

Defines the conditions for redistributing routes from one routing protocol into another.

tcp-map

To define a set of TCP normalization actions, use the tcp-map command in global configuration mode. The TCP normalization feature lets you specify criteria that identify abnormal packets, which the ASA drops when they are detected. To remove the TCP map, use the no form of this command.

tcp-map map_name

no tcp-map map_name

 
Syntax Description

map_name

Specifies the TCP map name.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

7.2(4)/8.0(4)

The invalid-ack , seq-past-window , and synack-data subcommands were added.

 
Usage Guidelines

This feature uses Modular Policy Framework. First define the TCP normalization actions you want to take using the tcp-map command. The tcp-map command enters tcp-map configuration mode, where you can enter one or more commands to define the TCP normalization actions. Then define the traffic to which you want to apply the TCP map using the class-map command. Enter the policy-map command to define the policy, and enter the class command to reference the class map. In class configuration mode, enter the set connection advanced-options command to reference the TCP map. Finally, apply the policy map to an interface using the service-policy command. For more information about how Modular Policy Framework works, see the CLI configuration guide.

The following commands are available in tcp-map configuration mode:

 

check-retransmission

Enables and disables the retransmit data checks.

checksum-verification

Enables and disable checksum verification.

exceed-mss

Allows or drops packets that exceed MSS set by peer.

invalid-ack

Sets the action for packets with an invalid ACK.

queue-limit

Configures the maximum number of out-of-order packets that can be queued for a TCP connection. This command is only available on the ASA 5500 series adaptive ASA. On the PIX 500 series ASA, the queue limit is 3 and cannot be changed.

reserved-bits

Sets the reserved flags policy in the ASA.

seq-past-window

Sets the action for packets that have past-window sequence numbers, namely the sequence number of a received TCP packet is greater than the right edge of the TCP receiving window.

synack-data

Sets the action for TCP SYNACK packets that contain data.

syn-data

Allows or drops SYN packets with data.

tcp-options

Allows or clears the selective-ack, timestamps, or window-scale TCP options.

ttl-evasion-protection

Enables or disables the TTL evasion protection offered by the ASA.

urgent-flag

Allows or clears the URG pointer through the ASA.

window-variation

Drops a connection that has changed its window size unexpectedly.

Examples

For example, to allow urgent flag and urgent offset packets for all traffic sent to the range of TCP ports between the well known FTP data port and the Telnet port, enter the following commands:

ciscoasa(config)# tcp-map tmap
ciscoasa(config-tcp-map)# urgent-flag allow
 
ciscoasa(config-tcp-map)# class-map urg-class
ciscoasa(config-cmap)# match port tcp range ftp-data telnet
 
ciscoasa(config-cmap)# policy-map pmap
ciscoasa(config-pmap)# class urg-class
ciscoasa(config-pmap-c)# set connection advanced-options tmap
 
ciscoasa(config-pmap-c)# service-policy pmap global
 

 
Related Commands

Command
Description

class (policy-map)

Specifies a class map to use for traffic classification.

clear configure tcp-map

Clears the TCP map configuration.

policy-map

Configures a policy; that is, an association of a traffic class and one or more actions.

show running-config tcp-map

Displays the information about the TCP map configuration.

tcp-options

Allows or clears the selective-ack, timestamps, or window-scale TCP options.

tcp-options

To allow or clear the TCP options through the ASA, use the tcp-options command in tcp-map configuration mode. To remove this specification, use the no form of this command.

tcp-options { selective-ack | timestamp | window-scale } { allow | clear }

no tcp-options { selective-ack | timestamp | window-scale } { allow | clear }

tcp-options range lower upper { allow | clear | drop }

no tcp-options range lower upper { allow | clear | drop }

 
Syntax Description

allow

Allows the TCP options through the TCP normalizer.

clear

Clears the TCP options through the TCP normalizer and allows the packet.

drop

Drops the packet.

lower

Lower bound ranges (6-7) and (9-255).

selective-ack

Sets the selective acknowledgement mechanism (SACK) option. The default is to allow the SACK option.

timestamp

Sets the timestamp option. Clearing the timestamp option will disable PAWS and RTT. The default is to allow the timestamp option.

upper

Upper bound range (6-7) and (9-255).

window-scale

Sets the window scale mechanism option. The default is to allow the window scale mechanism option.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Tcp-map configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the new TCP map using the policy-map command. Activate TCP inspection with service-policy commands.

Use the tcp-map command to enter tcp-map configuration mode. Use the tcp-options command in tcp-map configuration mode to clear selective-acknowledgement, window-scale, and timestamp TCP options. You can also clear or drop packets with options that are not very well defined.

Examples

The following example shows how to drop all packets with TCP options in the ranges of 6-7 and 9-255:

ciscoasa(config)# access-list TCP extended permit tcp any any
ciscoasa(config)# tcp-map tmap
ciscoasa(config-tcp-map)# tcp-options range 6 7 drop
ciscoasa(config-tcp-map)# tcp-options range 9 255 drop
ciscoasa(config)# class-map cmap
ciscoasa(config-cmap)# match access-list TCP
ciscoasa(config)# policy-map pmap
ciscoasa(config-pmap)# class cmap
ciscoasa(config-pmap)# set connection advanced-options tmap
ciscoasa(config)# service-policy pmap global
 

 
Related Commands

Command
Description

class

Specifies a class map to use for traffic classification.

policy-map

Configures a policy; that is, an association of a traffic class and one or more actions.

set connection

Configures connection values.

tcp-map

Creates a TCP map and allows access to tcp-map configuration mode.

telnet

To allow Telnet access to an interface, use the telnet command in global configuration mode. To remove Telnet access, use the no form of this command.

telnet { ipv4_address mask | ipv6_address / prefix } interface_name

no telnet { ipv4_address mask | ipv6_address / prefix } interface_name

 
Syntax Description

interface_name

Specifies the name of the interface on which to allow Telnet. You cannot enable Telnet on the lowest security interface unless you use Telnet in a VPN tunnel.

ipv4_address mask

Specifies the IPv4 address of a host or network authorized to Telnet to the ASA, and the subnet mask.

ipv6_address / prefix

Specifies the IPv6 address/prefix authorized to Telnet to the ASA.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

9.0(2), 9.1(2)

The default password, "cisco," has been removed; you must actively set a login password using the password command.

 
Usage Guidelines

The telnet command lets you specify which hosts can access the ASA CLI with Telnet. You can enable Telnet to the ASA on all interfaces. However, You cannot use Telnet to the lowest security interface unless you use Telnet inside a VPN tunnel.

Use the password command to set a password for Telnet access to the console. Use the who command to view which IP addresses are currently accessing the ASA console. Use the kill command to terminate an active Telnet console session.

If you use the aaa authentication telnet con sole command, Telnet console access must be authenticated with an authentication server.

Examples

This example shows how to permit hosts 192.168.1.3 and 192.168.1.4 to access the ASA CLI through Telnet. In addition, all the hosts on the 192.168.2.0 network are given access.

ciscoasa(config)# telnet 192.168.1.3 255.255.255.255 inside
ciscoasa(config)# telnet 192.168.1.4 255.255.255.255 inside
ciscoasa(config)# telnet 192.168.2.0 255.255.255.0 inside
ciscoasa(config)# show running-config telnet
192.168.1.3 255.255.255.255 inside
192.168.1.4 255.255.255.255 inside
192.168.2.0 255.255.255.0 inside
 

This example shows a Telnet console login session (the password does not display when entered):

ciscoasa# passwd: cisco
 
Welcome to the XXX
Type help or ‘?’ for a list of available commands.
ciscoasa>
 

You can remove individual entries with the no telnet command or all telnet command statements with the clear configure telnet command:

ciscoasa(config)# no telnet 192.168.1.3 255.255.255.255 inside
ciscoasa(config)# show running-config telnet
192.168.1.4 255.255.255.255 inside
192.168.2.0 255.255.255.0 inside
 
ciscoasa(config)# clear configure telnet
 

 
Related Commands

Command
Description

clear configure telnet

Removes a Telnet connection from the configuration.

kill

Terminates a Telnet session.

show running-config telnet

Displays the current list of IP addresses that are authorized to use Telnet connections to the ASA.

telnet timeout

Sets the Telnet timeout.

who

Displays active Telnet administration sessions on the ASA.

telnet timeout

To set the Telnet idle timeout, use the telnet timeout command in global configuration mode. To restore the default timeout, use the no form of this command.

telnet timeout minutes

no telnet timeout minutes

 
Syntax Description

minutes

Number of minutes that a Telnet session can be idle before being closed by the ASA. Valid values are from 1 to 1440 minutes. The default is 5 minutes.

 
Defaults

By default, Telnet sessions left idle for five minutes are closed by the ASA.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

Use the telnet timeout command to set the maximum time that a console Telnet session can be idle before being logged off by the ASA.

Examples

This example shows how to change the maximum session idle duration:

ciscoasa(config)# telnet timeout 10
ciscoasa(config)# show running-config telnet timeout
telnet timeout 10 minutes
 

 
Related Commands

Command
Description

clear configure telnet

Removes a Telnet connection from the configuration.

kill

Terminates a Telnet session.

show running-config telnet

Displays the current list of IP addresses that are authorized to use Telnet connections to the ASA.

telnet

Enables Telnet access to the ASA.

who

Displays active Telnet administration sessions on the ASA.

terminal

To allow syslog messages to show in the current Telnet session, use the terminal monitor command in privileged EXEC mode. To disable syslog messages, use the no form of this command.

terminal { monitor | no monitor }

 
Syntax Description

monitor

Enables the display of syslog messages in the current Telnet session.

no monitor

Disables the display of syslog messages in the current Telnet session.

 
Defaults

Syslog messages are disabled by default.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

Examples

This example shows how to display and disable syslog messages in the current session:

ciscoasa# terminal monitor
ciscoasa# terminal no monitor

 
Related Commands

Command
Description

clear configure terminal

Clears the terminal display width setting.

pager

Sets the number of lines to display in a Telnet session before the “---more---” prompt. This command is saved to the configuration.

show running-config terminal

Displays the current terminal settings.

terminal pager

Sets the number of lines to display in a Telnet session before the “---more---” prompt. This command is not saved to the configuration.

terminal width

Sets the terminal display width in global configuration mode.

terminal pager

To set the number of lines on a page before the “---More---” prompt appears for Telnet sessions, use the terminal pager command in privileged EXEC mode.

terminal pager [lines] lines

 
Syntax Description

[ lines ] lines

Sets the number of lines on a page before the “---More---” prompt appears. The default is 24 lines; 0 means no page limit. The range is 0 through 2147483647 lines. The lines keyword is optional, and the command is the same with or without it.

 
Defaults

The default is 24 lines.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

This command changes the pager line setting only for the current Telnet session. To save a new default pager setting to the configuration, use the pager command.

If you use Telnet to access the admin context, then the pager line setting follows your session when you change to other contexts, even if the pager command in a given context has a different setting. To change the current pager setting, enter the terminal pager command with a new setting, or you can enter the pager command in the current context. In addition to saving a new pager setting to the context configuration, the pager command applies the new setting to the current Telnet session.

Examples

The following example changes the number of lines displayed to 20:

ciscoasa# terminal pager 20
 

 
Related Commands

Command
Description

clear configure terminal

Clears the terminal display width setting.

pager

Sets the number of lines to display in a Telnet session before the “---More---” prompt. This command is saved to the configuration.

show running-config terminal

Displays the current terminal settings.

terminal

Allows syslog messages to display in the Telnet session.

terminal width

Sets the terminal display width in global configuration mode.

terminal width

To set the width for displaying information during console sessions, use the terminal width command in global configuration mode. To disable, use the no form of this command.

terminal width columns

no terminal width columns

 
Syntax Description

columns

Specifies the terminal width in columns. The default is 80. The range is 40 to 511.

 
Defaults

The default display width is 80 columns.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

Examples

This example shows how to terminal display width to 100 columns:

ciscoasa# terminal width 100

 
Related Commands

Command
Description

clear configure terminal

Clears the terminal display width setting.

show running-config terminal

Displays the current terminal settings.

terminal

Sets the terminal line parameters in privileged EXEC mode.

test aaa-server

To check whether the ASA can authenticate or authorize users with a particular AAA server, use the test aaa-server command in privileged EXEC mode. Failure to reach the AAA server may be due to incorrect configuration on the ASA, or the AAA server may be unreachable for other reasons, such as restrictive network configurations or server downtime.

test aaa-server { authentication server_tag [ host ip_address ] [ username username ] [ password password ] | authorization server_tag [ host ip_address ] [ username username ][ ad-agent ]}

 
Syntax Description

ad-agent

Tests connectivity to the AAA AD agent server.

authentication

Tests a AAA server for authentication capability.

authorization

Tests a AAA server for legacy VPN authorization capability.

host ip_address

Specifies the server IP address. If you do not specify the IP address in the command, you are prompted for it.

password password

Specifies the user password. If you do not specify the password in the command, you are prompted for it.

server_tag

Specifies the AAA server tag as set by the aaa-server command.

username username

Specifies the username of the account used to test the AAA server settings. Make sure the username exists on the AAA server; otherwise, the test will fail. If you do not specify the username in the command, you are prompted for it.

 
Defaults

No default behaviors or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(4)

This command was introduced.

8.4(2)

The ad-agent keyword was added.

 
Usage Guidelines

The test aaa-server command lets you verify that the ASA can authenticate users with a particular AAA server, and for legacy VPN authorization, if you can authorize a user. This command lets you test the AAA server without having an actual user who attempts to authenticate or authorize. It also helps you isolate whether AAA failures are due to misconfiguration of AAA server parameters, a connection problem to the AAA server, or other configuration errors on the ASA.

Examples

The following example configures a RADIUS AAA server named srvgrp1 on host 192.168.3.4, sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures authentication port 1650. The test aaa-server command following the setup of the AAA server parameters indicates that the authentication test failed to reach the server.

ciscoasa(config)# aaa-server svrgrp1 protocol radius
ciscoasa(config-aaa-server-group)# aaa-server svrgrp1 host 192.168.3.4
ciscoasa(config-aaa-server-host)# timeout 9
ciscoasa(config-aaa-server-host)# retry-interval 7
ciscoasa(config-aaa-server-host)# authentication-port 1650
ciscoasa(config-aaa-server-host)# exit
ciscoasa(config)# test aaa-server authentication svrgrp1
Server IP Address or name: 192.168.3.4
Username: bogus
Password: mypassword
INFO: Attempting Authentication test to IP address <192.168.3.4> (timeout: 10 seconds)
ERROR: Authentication Rejected: Unspecified
 

The following is sample output from the test aaa-server command with a successful outcome:

ciscoasa# test aaa-server authentication svrgrp1 host 192.168.3.4 username bogus password mypassword
INFO: Attempting Authentication test to IP address <10.77.152.85> (timeout: 12 seconds)
INFO: Authentication Successful
 

 
Related Commands

Command
Description

aaa authentication console

Configures authentication for management traffic.

aaa authentication match

Configures authentication for through traffic.

aaa-server

Creates a AAA server group.

aaa-server host

Adds a AAA server to a server group.

test aaa-server ad-agent

To test the Active Directory Agent configuration after you configure, use the test aaa-server ad-agent command in AAA Server Group configuration mode.

test aaa-server ad-agent

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Aaa server group configuration

  • Yes

  • Yes

 
Command History

Release
Modification

8.4(2)

The command was introduced.

 
Usage Guidelines

To configure the Active Directory Agent for the Identity Firewall, you must enter the ad-agent-mode command, which is a submode of the aaa-server command. Entering the ad-agent-mode command enters the AAA Server Group configuration mode.

After configuring the Active Directory Agent, enter the test aaa-server ad-agent command to verify that the ASA has a functional connection to the Active Directory Agent.

Periodically or on-demand, the AD Agent monitors the Active Directory server security event log file via WMI for user login and logoff events. The AD Agent maintains a cache of user ID and IP address mappings. and notifies the ASA of changes.

Configure the primary and secondary AD Agents for the AD Agent Server Group. When the ASA detects that the primary AD Agent is not responding and a secondary agent is specified, the ASA switches to secondary AD Agent. The Active Directory server for the AD agent uses RADIUS as the communication protocol; therefore, you should specify a key attribute for the shared secret between ASA and AD Agent.

Examples

The following example shows how to enable ad-agent-mode while configuring the Active Directory Agent for the Identity Firewall and then test the connection:

hostname(config)# aaa-server adagent protocol radius
hostname(config)# ad-agent-mode
hostname(config-aaa-server-group)# aaa-server adagent (inside) host 192.168.1.101
hostname(config-aaa-server-host)# key mysecret
hostname(config-aaa-server-hostkey)# user-identity ad-agent aaa-server adagent
hostname(config-aaa-server-host)# test aaa-server ad-agent

 
Related Commands

Command
Description

aaa-server

Creates a AAA server group and configures AAA server parameters that are group-specific and common to all group hosts.

clear configure user-identity

Clears the configuration for the Identity Firewall feature.

test dynamic-access-policy attributes

To enter the dap attributes mode, from Privileged EXEC mode, enter the test dynamic-access-policy attributes command. Doing so lets you specify user and endpoint attribute value pairs.

dynamic-access-policy attributes

 
Defaults

No default value or behaviors.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.0(2)

This command was introduced.

 
Usage Guidelines

Normally the ASA retrieves user authorization attributes from the AAA server and retrieves endpoint attributes from Cisco Secure Desktop, Host Scan, CNA or NAC. For the test command, you specify the user authorization and endpoint attributes in this attributes mode. The ASA writes them to an attribute database that the DAP subsystem references when evaluating the AAA selection attributes and endpoint select attributes for a DAP record.

This feature lets you experiment with creating a DAP record.

Examples

The following example shows how to use the attributes command.

ciscoasa # test dynamic-access-policy attributes
ciscoasa(config-dap-test-attr)#
 

 
Related Commands

Command
Description

dynamic-access-policy-record

Creates a DAP record.

attributes

Enters attributes mode, in which you can specify user attribute value pairs.

display

Displays current attribute list.

test dynamic-access-policy execute

To test already configured DAP records, use the test dynamic-access-policy execute command in privileged EXEC mode:

test dynamic-access-policy execute

 
Syntax Description

 
Syntax DescriptionSyntax Description

AAA attribute value

The DAP subsystem on the device references these values when evaluating the AAA and endpoint selection attributes for each record.

AAA Attribute—Identifies the AAA attribute.

Operation Value—Identifies the attribute as =/!= to the given value.

endpoint attribute value

Identifies the endpoint attribute.

Endpoint ID—Provides the endpoint attribute ID.

Name/Operation/Value—

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.4(4)

This command was introduced.

 
Usage Guidelines

This command lets you test the retrieval of the set of DAP records configured on the device by specifying authorization attribute value pairs.

test regex

To test a regular expression, use the test regex command in privileged EXEC mode.

test regex input_text regular_expression

 
Syntax Description

input_text

Specifies the text that you want to match with the regular expression.

regular_expression

Specifies the regular expression up to 100 characters in length. See the regex command for a list of metacharacters you can use in the regular expression.

 
Defaults

No default behaviors or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.2(1)

This command was introduced.

 
Usage Guidelines

The test regex command tests a regular expression to make sure it matches what you think it will match.

If the regular expression matches the input text, you see the following message:

INFO: Regular expression match succeeded.
 

If the regular expression does not match the input text, you see the following message:

INFO: Regular expression match failed.
 

Examples

The following example tests input text against a regular expression:

ciscoasa# test regex farscape scape
INFO: Regular expression match succeeded.
 
ciscoasa# test regex farscape scaper
 
INFO: Regular expression match failed.

 
Related Commands

Command
Description

class-map type inspect

Creates an inspection class map to match traffic specific to an application.

policy-map

Creates a policy map by associating the traffic class with one or more actions.

policy-map type inspect

Defines special actions for application inspection.

class-map type regex

Creates a regular expression class map.

regex

Creates a regular expression.

test sso-server

To test an SSO server with a trial authentication request, use the test sso-server command in privileged EXEC mode.

test sso-server server-name username user-name

 
Syntax Description

 
Syntax DescriptionSyntax Description

server-name

Specifies the name of the SSO server being tested.

user-name

Specifies the name of a user on the SSO server being tested.

 
Defaults

No default values or behavior.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Config-webvpn

  • Yes

  • Yes

Config-webvpn-sso-saml

  • Yes

  • Yes

Config-webvpn-sso-siteminder

  • Yes

  • Yes

Global configuration mode

  • Yes

  • Yes

Privileged EXEC

  • Yes

  • Yes

 
Command History

Release
Modification

7.1(1)

This command was introduced.

 
Usage Guidelines

Single sign-on support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. The test sso-server command tests whether an SSO server is recognized and responding to authentication requests.

If the SSO server specified by the server-name argument is not found, the following error appears:

ERROR: sso-server server-name does not exist

If the SSO server is found but the user specified by the user-name argument is not found, the authentication is rejected.

In the authentication, the ASA acts as a proxy for the WebVPN user to the SSO server. The ASA currently supports the SiteMinder SSO server (formerly Netegrity SiteMinder) and the SAML POST-type SSO server. This command applies to both types of SSO Servers.

Examples

The following example, entered in privileged EXEC mode, successfully tests an SSO server named my-sso-server using a username of Anyuser:

ciscoasa# test sso-server my-sso-server username Anyuser
INFO: Attempting authentication request to sso-server my-sso-server for user Anyuser
INFO: STATUS: Success
ciscoasa#
 

The following example shows a test of the same server, but the user, Anotheruser, is not recognized and the authentication fails:

ciscoasa# test sso-server my-sso-server username Anotheruser
INFO: Attempting authentication request to sso-server my-sso-server for user Anotheruser
INFO: STATUS: Failed
ciscoasa#

 
Related Commands

Command
Description

max-retry-attempts

Configures the number of times the ASA retries a failed SSO authentication attempt.

policy-server-secret

Creates a secret key used to encrypt authentication requests to a SiteMinder SSO server.

request-timeout

Specifies the number of seconds before a failed SSO authentication attempt times out.

show webvpn sso-server

Displays the operating statistics for all SSO servers configured on the security device.

sso-server

Creates a single sign-on server.

web-agent-url

Specifies the SSO server URL to which the ASA makes SiteMinder SSO authentication requests.

text-color

To set a color for text in the WebVPN title bar on the login, home page, and file access page, use the text-color command in webvpn mode. To remove a text color from the configuration and reset the default, use the no form of this command.

text-color [ black | white | auto ]

no text-color

 
Syntax Description

auto

Chooses black or white based on the settings for the secondary-color command. That is, if the secondary color is black, this value is white.

black

The default text color for title bars is white.

white

You can change the color to black.

 
Defaults

The default text color for the title bars is white.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

config-webvpn

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

Examples

The following example shows how to set the text color for title bars to black:

ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# text-color black

 
Related Commands

Command
Description

secondary-text-color

Sets the secondary text color for the WebVPN login, home page, and file access page.

tftp-server

To specify the default TFTP server and path and filename for use with configure net or write net commands, use the tftp-server command in global configuration mode. To remove the server configuration, use the no form of this command. This command supports IPv4 and IPv6 addresses.

tftp-server interface_name server filename

no tftp-server [ interface_name server filename ]

 
Syntax Description

filename

Specifies the path and filename.

interface_name

Specifies the gateway interface name. If you specify an interface other than the highest security interface, a warning message informs you that the interface is unsecure.

server

Sets the TFTP server IP address or name. You can enter an IPv4 or IPv6 address.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

The gateway interface is now required.

 
Usage Guidelines

The tftp-server command simplifies entering the configure net and write net commands. When you enter the configure net or write net commands, you can either inherit the TFTP server specified by the tftp-server command, or provide your own value. You can also inherit the path in the tftp-server command as-is, add a path and filename to the end of the tftp-server command value, or override the tftp-server command value.

The ASA supports only one tftp-server command.

Examples

The following example shows how to specify a TFTP server and then read the configuration from the /temp/config/test_config directory:

ciscoasa(config)# tftp-server inside 10.1.1.42 /temp/config/test_config
ciscoasa(config)# configure net
 

 
Related Commands

Command
Description

configure net

Loads the configuration from the TFTP server and path that you specify.

show running-config tftp-server

Displays the default TFTP server address and the directory of the configuration file.

tftp-server address

To specify the TFTP servers in the cluster, use the tftp-server address command in phone-proxy configuration mode. To remove the TFTP server from the Phone Proxy configuration, use the no form of this command.

tftp-server address ip_address [ port ] interface interface

no tftp-server address ip_address [ port ] interface interface

 
Syntax Description

ip_address

Specifies the address of the TFTP server.

interface interface

Specifies the interface on which the TFTP server resides. This must be the real address of the TFTP server.

port

(Optional) This is the port the TFTP server is listening in on for the TFTP requests. This should be configured if it is not the default TFTP port 69.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Phone-proxy configuration

  • Yes

  • Yes

 
Command History

Release
Modification

8.0(4)

The command was introduced.

 
Usage Guidelines

The Phone Proxy must have at least one CUCM TFTP server configured. Up to five TFTP servers can be configured for the Phone Proxy.

The TFTP server is assumed to be behind the firewall on the trusted network; therefore, the Phone Proxy intercepts the requests between the IP phones and TFTP server. The TFTP server must reside on the same interface as the CUCM.

Create the TFTP server using the internal IP address and specify the interface on which the TFTP server resides.

On the IP phones, the IP address of the TFTP server must be configured as follows:

  • If NAT is configured for the TFTP server, use the TFTP server’s global IP address.
  • If NAT is not configured for the TFTP server, use the TFTP server’s internal IP address.

If the service-policy is applied globally, a classification rule will be created to direct any TFTP traffic reaching the TFTP server on all ingress interfaces, except for the interface on which the TFTP server resides. When the service-policy is applied on a specific interface, a classification rule will be created to direct any TFTP traffic reaching the TFTP server on that specified interface to the phone-proxy module.

If a NAT rule is configured for the TFTP server, it must be configured prior to applying the service-policy so that the global address of the TFTP server is used when installing the classification rule.

Examples

The following example shows the use of the tftp-server address command to configure two TFTP servers for the Phone Proxy:

ciscoasa(config)# phone-proxy asa_phone_proxy
ciscoasa(config-phone-proxy)# tftp-server address 192.168.1.2 in interface outside
ciscoasa(config-phone-proxy)# tftp-server address 192.168.1.3 in interface outside
ciscoasa(config-phone-proxy)# media-termination address 192.168.1.4 interface inside
ciscoasa(config-phone-proxy)# media-termination address 192.168.1.25 interface outside
ciscoasa(config-phone-proxy)# tls-proxy asa_tlsp
ciscoasa(config-phone-proxy)# ctl-file asactl
ciscoasa(config-phone-proxy)# cluster-mode nonsecure
 

 
Related Commands

Command
Description

phone-proxy

Configures the Phone Proxy instance.

threat-detection basic-threat

To enable basic threat detection, use the threat-detection basic-threat command in global configuration mode. To disable basic threat detection, use the no form of this command.

threat-detection basic-threat

no threat-detection basic-threat

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

Basic threat detection is enabled by default. The following default rate limits are used:

 

Table 1-1 Basic Threat Detection Default Settings

Packet Drop Reason
Trigger Settings
Average Rate
Burst Rate
  • DoS attack detected
  • Bad packet format
  • Connection limits exceeded
  • Suspicious ICMP packets detected

100 drops/sec over the last 600 seconds.

400 drops/sec over the last 20 second period.

80 drops/sec over the last 3600 seconds.

320 drops/sec over the last 120 second period.

Scanning attack detected

5 drops/sec over the last 600 seconds.

10 drops/sec over the last 20 second period.

4 drops/sec over the last 3600 seconds.

8 drops/sec over the last 120 second period.

Incomplete session detected such as TCP SYN attack detected or no data UDP session attack detected (combined)

100 drops/sec over the last 600 seconds.

200 drops/sec over the last 20 second period.

80 drops/sec over the last 3600 seconds.

160 drops/sec over the last 120 second period.

Denial by access lists

400 drops/sec over the last 600 seconds.

800 drops/sec over the last 20 second period.

320 drops/sec over the last 3600 seconds.

640 drops/sec over the last 120 second period.

  • Basic firewall checks failed
  • Packets failed application inspection

400 drops/sec over the last 600 seconds.

1600 drops/sec over the last 20 second period.

320 drops/sec over the last 3600 seconds.

1280 drops/sec over the last 120 second period.

Interface overload

2000 drops/sec over the last 600 seconds.

8000 drops/sec over the last 20 second period.

1600 drops/sec over the last 3600 seconds.

6400 drops/sec over the last 120 second period.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.0(2)

This command was introduced.

8.2(1)

The burst rate interval changed from 1/60th to 1/30th of the average rate.

 
Usage Guidelines

When you enable basic threat detection, the ASA monitors the rate of dropped packets and security events due to the following reasons:

  • Denial by access lists
  • Bad packet format (such as invalid-ip-header or invalid-tcp-hdr-length)
  • Connection limits exceeded (both system-wide resource limits, and limits set in the configuration)
  • DoS attack detected (such as an invalid SPI, Stateful Firewall check failure)
  • Basic firewall checks failed (This option is a combined rate that includes all firewall-related packet drops in this bulleted list. It does not include non-firewall-related drops such as interface overload, packets failed at application inspection, and scanning attack detected.)
  • Suspicious ICMP packets detected
  • Packets failed application inspection
  • Interface overload
  • Scanning attack detected (This option monitors scanning attacks; for example, the first TCP packet is not a SYN packet, or the TCP connection failed the 3-way handshake. Full scanning threat detection (see the threat-detection scanning-threat command) takes this scanning attack rate information and acts on it by classifying hosts as attackers and automatically shunning them, for example.)
  • Incomplete session detection such as TCP SYN attack detected or no data UDP session attack detected

When the ASA detects a threat, it immediately sends a system log message (733100) and alerts ASDM.

Basic threat detection affects performance only when there are drops or potential threats; even in this scenario, the performance impact is insignificant.

Table 1-1 in the “Defaults” section lists the default settings. You can view all these default settings using the show running-config all threat-detection command. You can override the default settings for each type of event by using the threat-detection rate command.

If an event rate is exceeded, then the ASA sends a system message. The ASA tracks two types of rates: the average event rate over an interval, and the burst event rate over a shorter burst interval. The burst event rate is 1/30th of the average rate interval or 10 seconds, whichever is higher. For each event received, the ASA checks the average and burst rate limits; if both rates are exceeded, then the ASA sends two separate system messages, with a maximum of one message for each rate type per burst period.

Examples

The following example enables basic threat detection, and changes the triggers for DoS attacks:

ciscoasa(config)# threat-detection basic-threat
ciscoasa(config)# threat-detection rate dos-drop rate-interval 600 average-rate 60 burst-rate 100
 

 
Related Commands

Command
Description

clear threat-detection rate

Clears basic threat detection statistics.

show running-config all threat-detection

Shows the threat detection configuration, including the default rate settings if you did not configure them individually.

show threat-detection rate

Shows basic threat detection statistics.

threat-detection rate

Sets the threat detection rate limits per event type.

threat-detection scanning-threat

Enables scanning threat detection.

threat-detection rate

When you enable basic threat detection using the threat-detection basic-threat command, you can change the default rate limits for each event type using the threat-detection rate command in global configuration mode. If you enable scanning threat detection using the threat-detection scanning-threat command, then this command with the scanning-threat keyword also sets the when a host is considered to be an attacker or a target; otherwise the default scanning-threat value is used for both basic and scanning threat detection. To return to the default setting, use the no form of this command.

threat-detection rate { acl-drop | bad-packet-drop | conn-limit-drop | dos-drop | fw-drop | icmp-drop | inspect-drop | interface-drop | scanning-threat | syn-attack } rate-interval rate_interval average-rate av_rate burst-rate burst_rate

no threat-detection rate { acl-drop | bad-packet-drop | conn-limit-drop | dos-drop | fw-drop | icmp-drop | inspect-drop | interface-drop | scanning-threat | syn-attack } rate-interval rate_interval average-rate av_rate burst-rate burst_rate

 
Syntax Description

acl-drop

Sets the rate limit for dropped packets caused by denial by access lists.

average-rate av_rate

Sets the average rate limit between 0 and 2147483647 in drops/sec.

bad-packet-drop

Sets the rate limit for dropped packets caused by denial by a bad packet format (such as invalid-ip-header or invalid-tcp-hdr-length).

burst-rate burst_rate

Sets the burst rate limit between 0 and 2147483647 in drops/sec. The burst rate is calculated as the average rate every N seconds, where N is the burst rate interval. The burst rate interval is 1/30th of the rate-interval rate_interval value or 10 seconds, whichever is larger.

conn-limit-drop

Sets the rate limit for dropped packets caused by the connection limits being exceeded (both system-wide resource limits, and limits set in the configuration).

dos-drop

Sets the rate limit for dropped packets caused by a detected DoS attack (such as an invalid SPI, Stateful Firewall check failure).

fw-drop

Sets the rate limit for dropped packets caused by basic firewall check failure. This option is a combined rate that includes all firewall-related packet drops in this command. It does not include non-firewall-related drops such as interface-drop , inspect-drop , and scanning-threat .

icmp-drop

Sets the rate limit for dropped packets caused by denial by suspicious ICMP packets detected.

inspect-drop

Sets the rate limit for dropped packets caused by packets failing application inspection.

interface-drop

Sets the rate limit for dropped packets caused by an interface overload.

rate-interval rate_interval

Sets the average rate interval between 600 seconds and 2592000 seconds (30 days). The rate interval is used to determine the length of time over which to average the drops. It also determines the burst threshold rate interval.

scanning-threat

Sets the rate limit for dropped packets caused by a scanning attack detected. This option monitors scanning attacks; for example, the first TCP packet is not a SYN packet, or the TCP connection failed the 3-way handshake. Full scanning threat detection (see the threat-detection scanning-threat command) takes this scanning attack rate information and acts on it by classifying hosts as attackers and automatically shunning them, for example.

syn-attack

Sets the rate limit for dropped packets caused by an incomplete session, such as TCP SYN attack or no data UDP session attack.

 
Defaults

When you enable basic threat detection using the threat-detection basic-threat command, the following default rate limits are used:

 

Table 1-2 Basic Threat Detection Default Settings

Packet Drop Reason
Trigger Settings
Average Rate
Burst Rate
  • dos-drop
  • bad-packet-drop
  • conn-limit-drop
  • icmp-drop

100 drops/sec over the last 600 seconds.

400 drops/sec over the last 20 second period.

100 drops/sec over the last 3600 seconds.

400 drops/sec over the last 120 second period.

scanning-threat

5 drops/sec over the last 600 seconds.

10 drops/sec over the last 20 second period.

5 drops/sec over the last 3600 seconds.

10 drops/sec over the last 120 second period.

syn-attack

100 drops/sec over the last 600 seconds.

200 drops/sec over the last 20 second period.

100 drops/sec over the last 3600 seconds.

200 drops/sec over the last 120 second period.

acl-drop

400 drops/sec over the last 600 seconds.

800 drops/sec over the last 20 second period.

400 drops/sec over the last 3600 seconds.

800 drops/sec over the last 120 second period.

  • fw-drop
  • inspect-drop

400 drops/sec over the last 600 seconds.

1600 drops/sec over the last 20 second period.

400 drops/sec over the last 3600 seconds.

1600 drops/sec over the last 120 second period.

interface-drop

2000 drops/sec over the last 600 seconds.

8000 drops/sec over the last 20 second period.

2000 drops/sec over the last 3600 seconds.

8000 drops/sec over the last 120 second period.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.0(2)

This command was introduced.

8.2(1)

The burst rate interval changed from 1/60th to 1/30th of the average rate.

 
Usage Guidelines

You can configure up to three different rate intervals for each event type.

When you enable basic threat detection, the ASA monitors the rate of dropped packets and security events due to the event types described in the “Syntax Description” table.

When the ASA detects a threat, it immediately sends a system log message (733100) and alerts ASDM.

Basic threat detection affects performance only when there are drops or potential threats; even in this scenario, the performance impact is insignificant.

Table 1-1 in the “Defaults” section lists the default settings. You can view all these default settings using the show running-config all threat-detection command.

If an event rate is exceeded, then the ASA sends a system message. The ASA tracks two types of rates: the average event rate over an interval, and the burst event rate over a shorter burst interval. For each event received, the ASA checks the average and burst rate limits; if both rates are exceeded, then the ASA sends two separate system messages, with a maximum of one message for each rate type per burst period.

Examples

The following example enables basic threat detection, and changes the triggers for DoS attacks:

ciscoasa(config)# threat-detection basic-threat
ciscoasa(config)# threat-detection rate dos-drop rate-interval 600 average-rate 60 burst-rate 100
 

 
Related Commands

Command
Description

clear threat-detection rate

Clears basic threat detection statistics.

show running-config all threat-detection

Shows the threat detection configuration, including the default rate settings if you did not configure them individually.

show threat-detection rate

Shows basic threat detection statistics.

threat-detection basic-threat

Enables basic threat detection.

threat-detection scanning-threat

Enables scanning threat detection.

threat-detection scanning-threat

To enable scanning threat detection, use the threat-detection scanning-threat command in global configuration mode. To disable scanning threat detection, use the no form of this command.

threat-detection scanning-threat [ shun
[ except { ip-address ip_address mask | object-group network_object_group_id } | duration seconds ]]

no threat-detection scanning-threat [ shun
[ except { ip-address ip_address mask | object-group network_object_group_id } | duration seconds ]]

 
Syntax Description

duration seconds

Sets the duration of a shun for an attacking host, between 10 and 2592000 seconds. The default length is 3600 seconds (1 hour).

except

Exempts IP addresses from being shunned. Enter this command multiple times to identify multiple IP addresses or network object groups to exempt from shunning.

ip-address ip_address mask

Specifies the IP address you want to exempt from shunning.

object-group network_object_group_id

Specifies the network object group that you want to exempt from shunning. See the object-group network command to create the object group.

shun

Automatically terminates a host connection when the ASA identifies the host as an attacker, in addition to sending syslog message 733101.

 
Defaults

The default shun duration is 3600 seconds (1 hour).

The following default rate limits are used for scanning attack events:

 

Table 1-3 Default Rate Limits for Scanning Threat Detection

Average Rate
Burst Rate

5 drops/sec over the last 600 seconds.

10 drops/sec over the last 20 second period.

5 drops/sec over the last 3600 seconds.

10 drops/sec over the last 120 second period.

 

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.0(2)

This command was introduced.

8.0(4)

The duration keyword was added.

 
Usage Guidelines

A typical scanning attack consists of a host that tests the accessibility of every IP address in a subnet (by scanning through many hosts in the subnet or sweeping through many ports in a host or subnet). The scanning threat detection feature determines when a host is performing a scan. Unlike IPS scan detection that is based on traffic signatures, the ASA scanning threat detection feature maintains an extensive database that contains host statistics that can be analyzed for scanning activity.

The host database tracks suspicious activity such as connections with no return activity, access of closed service ports, vulnerable TCP behaviors such as non-random IPID, and many more behaviors.


Caution The scanning threat detection feature can affect the ASA performance and memory significantly while it creates and gathers host- and subnet-based data structure and information.

You can configure the ASA to send system log messages about an attacker or you can automatically shun the host. By default, the system log message 730101 is generated when a host is identified as an attacker.

The ASA identifies attackers and targets when the scanning threat event rate is exceeded. The ASA tracks two types of rates: the average event rate over an interval, and the burst event rate over a shorter burst interval. For each event detected that is considered to be part of a scanning attack, the ASA checks the average and burst rate limits. If either rate is exceeded for traffic sent from a host, then that host is considered to be an attacker. If either rate is exceeded for traffic received by a host, then that host is considered to be a target. You can change the rate limits for scanning threat events using the threat-detection rate scanning-threat command.

To view hosts categorized as attackers or as targets, use the show threat-detection scanning-threat command.

To view shunned hosts, use the show threat-detection shun command. To release a host from being shunned, use the clear threat-detection shun command.

Examples

The following example enables scanning threat detection and automatically shuns hosts categorized as attackers, except for hosts on the 10.1.1.0 network. The default rate limits for scanning threat detection are also changed.

ciscoasa(config)# threat-detection scanning-threat shun except ip-address 10.1.1.0 255.255.255.0
ciscoasa(config)# threat-detection rate scanning-threat rate-interval 1200 average-rate 10 burst-rate 20
ciscoasa(config)# threat-detection rate scanning-threat rate-interval 2400 average-rate 10 burst-rate 20
 

 
Related Commands

Command
Description

clear threat-detection shun

Releases a host from being shunned.

show threat-detection scanning-threat

Shows the hosts that are categorized as attackers and targets.

show threat-detection shun

Shows hosts that are currently shunned.

threat-detection basic-threat

Enables basic threat detection.

threat-detection rate

Sets the threat detection rate limits per event type.

threat-detection statistics

To enable advanced threat detection statistics, use the threat-detection statistics command in global configuration mode. To disable advanced threat detection statistics, use the no form of this command.


Caution Enabling statistics can affect the ASA performance, depending on the type of statistics enabled. The threat-detection statistics host command affects performance in a significant way; if you have a high traffic load, you might consider enabling this type of statistics temporarily. The threat-detection statistics port command, however, has modest impact.

threat-detection statistics [ access-list | [ host | port | protocol [ number-of-rate { 1 | 2 | 3 }] | tcp-intercept [ rate-interval minutes ] [ burst-rate attacks_per_sec ] [ average-rate attacks_per_sec ]]

no threat-detection statistics [ access-list | host | port | protocol | tcp-intercept [ rate-interval minutes ] [ burst-rate attacks_per_sec ] [ average-rate attacks_per_sec ]]

 
Syntax Description

access-list

(Optional) Enables statistics for access list denies. Access list statistics are only displayed using the show threat-detection top access-list command.

average-rate attacks_per_sec

(Optional) For TCP Intercept, sets the average rate threshold for syslog message generation, between 25 and 2147483647. The default is 200 per second. When the average rate is exceeded, syslog message 733105 is generated.

burst-rate attacks_per_sec

(Optional) For TCP Intercept, sets the threshold for syslog message generation, between 25 and 2147483647. The default is 400 per second. When the burst rate is exceeded, syslog message 733104 is generated.

host

(Optional) Enables host statistics. The host statistics accumulate for as long as the host is active and in the scanning threat host database. The host is deleted from the database (and the statistics cleared) after 10 minutes of inactivity.

number-of-rate { 1 | 2 | 3 }

(Optional) Sets the number of rate intervals maintained for host, port, or protocol statistics. The default number of rate intervals is 1 , which keeps the memory usage low. To view more rate intervals, set the value to 2 or 3 . For example, if you set the value to 3 , then you view data for the last 1 hour, 8 hours, and 24 hours. If you set this keyword to 1 (the default), then only the shortest rate interval statistics are maintained. If you set the value to 2 , then the two shortest intervals are maintained.

port

(Optional) Enables port statistics.

protocol

(Optional) Enables protocol statistics.

rate-interval minutes

(Optional) For TCP Intercept, sets the size of the history monitoring window, between 1 and 1440 minutes. The default is 30 minutes. During this interval, the ASA samples the number of attacks 30 times.

tcp-intercept

(Optional) Enables statistics for attacks intercepted by TCP Intercept. See the set connection embryonic-conn-max command , or the nat or static commands to enable TCP Intercept.

 
Defaults

Access list statistics are enabled by default. If you do not specify any options in this command, then you enable all options.

The default tcp-intercept rate-interval is 30 minutes. The default burst-rate is 400 per second. The default average-rate is 200 per second.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.0(2)

This command was introduced.

8.0(4)/8.1(2)

The tcp-intercept keyword was added.

8.1(2)

The number-of-rates keyword was added for host statistics, and the default number of rates was changed from 3 to 1.

8.2(1)

The burst rate interval changed from 1/60th to 1/30th of the average rate.

8.3(1)

The number-of-rates keyword was added for port and protocol statistics, and the default number of rates was changed from 3 to 1.

 
Usage Guidelines

If you do not specify any options in this command, then you enable all statistics. To enable only certain statistics, enter this command for each statistic type, and do not also enter the command without any options. You can enter threat-detection statistics (without any options) and then customize certain statistics by entering the command with statistics-specific options (for example, threat-detection statistics host number-of-rate 2 ). If you enter threat-detection statistics (without any options) and then enter a command for specific statistics, but without any statistic-specific options, then that command has no effect because it is already enabled.

If you enter the no form of this command, it removes all threat-detection statistics commands, including the threat-detection statistics access-list command, which is enabled by default.

View statistics using the show threat-detection statistics commands.

You do not need to enable scanning threat detection using the threat-detection scanning-threat command; you can configure detection and statistics separately.

Examples

The following example enables scanning threat detection and scanning threat statistics for all types except host:

ciscoasa(config)# threat-detection scanning-threat shun except ip-address 10.1.1.0 255.255.255.0
ciscoasa(config)# threat-detection statistics access-list
ciscoasa(config)# threat-detection statistics port
ciscoasa(config)# threat-detection statistics protocol
ciscoasa(config)# threat-detection statistics tcp-intercept
 

 
Related Commands

Command
Description

threat-detection scanning-threat

Enables scanning threat detection.

show threat-detection statistics host

Shows the host statistics.

show threat-detection memory

Shows the memory use for advanced threat detection statistics.

show threat-detection statistics port

Shows the port statistics.

show threat-detection statistics protocol

Shows the protocol statistics.

show threat-detection statistics top

Shows the top 10 statistics.

threshold

To set the threshold value for over threshold events in SLA monitoring operations, use the threshold command in SLA monitor configuration mode. To restore the default value, use the no form of this command.

threshold milliseconds

no threshold

 
Syntax Description

milliseconds

Specifies the number of milliseconds for a rising threshold to be declared. Valid values are from 0 to 2147483647. This value should not be larger than the value set for the timeout.

 
Defaults

The default threshold is 5000 milliseconds.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

SLA monitor configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.2(1)

This command was introduced.

 
Usage Guidelines

The threshold value is only used to indicate over threshold events, which do not affect reachability but may be used to evaluate the proper settings for the timeout command.

Examples

The following example configures an SLA operation with an ID of 123 and creates a tracking entry with the ID of 1 to track the reachability of the SLA. The frequency of the SLA operation is set to 10 seconds, the threshold to 2500 milliseconds, and the timeout value us set to 4000 milliseconds.

ciscoasa(config)# sla monitor 123
ciscoasa(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outside
ciscoasa(config-sla-monitor-echo)# threshold 2500
ciscoasa(config-sla-monitor-echo)# timeout 4000
ciscoasa(config-sla-monitor-echo)# frequency 10
ciscoasa(config)# sla monitor schedule 123 life forever start-time now
ciscoasa(config)# track 1 rtr 123 reachability
 

 
Related Commands

Command
Description

sla monitor

Defines an SLA monitoring operation.

timeout

Defines the amount of time the SLA operation waits for a response.

ticket

To configure the ticket epoch and password for the Cisco Intercompany Media Engine proxy, use the ticket command in UC-IME configuration mode. To remove the configuration from the proxy, use the no form of this command.

ticket epoch n password password

no ticket epoch n password password

 
Syntax Description

n

Specifies the length of time between password integrity checks. Enter an integer from 1-255.

password

Sets the password for the Cisco Intercompany Media Engine ticket. Enter a minimum of 10 and a maximum of 64 printable character from the US-ASCII character set. The allowed characters include 0x21 to 0x73 inclusive, and exclude the space character.

Only one password can be configured at a time.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

UC-IME configuration

  • Yes

  • Yes

 
Command History

Release
Modification

8.3(1)

The command was introduced.

 
Usage Guidelines

Configures the ticket epoch and password for Cisco Intercompany Media Engine.

The epoch contains an integer that updates each time that the password is changed. When the proxy is configured the first time and a password entered for the first time, enter 1 for the epoch integer. Each time you change the password, increment the epoch to indicate the new password. You must increment the epoch value each time your change the password.

Typically, you increment the epoch sequentially; however, the ASA allows you to choose any value when you update the epoch.

If you change the epoch value, the current password is invalidated and you must enter a new password.

We recommend a password of at least 20 characters. Only one password can be configured at a time.

The ticket password is stored onto flash. The output of the show running-config uc-ime command displays ***** instead of the password string.


Note The epoch and password that you configure on the ASA must match the epoch and password configured on the Cisco Intercompany Media Engine server. See the Cisco Intercompany Media Engine server documentation for information.


Examples

The following example shows specify the ticket and epoch in the Cisco Intercompany Media Engine Proxy:

ciscoasa(config)# uc-ime local_uc-ime_proxy
ciscoasa(config-uc-ime)# media-termination ime-media-term
ciscoasa(config-uc-ime)# ucm address 192.168.10.30 trunk-security-mode non-secure
ciscoasa(config-uc-ime)# ticket epoch 1 password password1234
hostname(config-uc-ime)# fallback monitoring timer 120
hostname(config-uc-ime)# fallback hold-down timer 30
 

 
Related Commands

Command
Description

show running-config uc-ime

Shows the running configuration of the Cisco Intercompany Media Engine proxy.

uc-ime

Creates the Cisco Intercompany Media Engine proxy instance on the ASA.

timeout

To set the global maximum idle time duration for various features, use the timeout command in global configuration mode. To set all timeouts to the default, use the no form of this command. To reset a single feature to its default, reenter the timeout command with the default value.

timeout { conn | floating-conn | h225 | h323 | half-closed | icmp | mgcp | mgcp-pat | pat-xlate | sip | sip-disconnect | sip-invite | sip_media | sip-provisional-media | sunrpc | tcp-proxy-reassembly | udp | xlate } hh : mm : ss

timeout uauth hh : mm : ss [ absolute | inactivity ]

no timeout

 
Syntax Description

absolute

(Optional for uauth ) Requires a reauthentication after the uauth timeout expires. The absolute keyword is enabled by default. To set the uauth timer to timeout after a period of inactivity, enter the inactivity keyword instead.

conn

Specifies the idle time after which a connection closes, between 0:5:0 and 1193:0:0. The default is 1 hour (1:0:0). Use 0 to never time out a connection.

floating-conn

When multiple static routes exist to a network with different metrics, the ASA uses the one with the best metric at the time of connection creation. If a better route becomes available, then this timeout lets connections be closed so a connection can be reestablished to use the better route. The default is 0 (the connection never times out). To take advantage of this feature, change the timeout to a new value.

hh : mm : ss

Specifies the timeout in hours, minutes, and seconds. Use 0 to never time out a connection, if available.

h225

Specifies the idle time after which an H.225 signaling connection closes, between 0:0:0 and 1193:0:0. The default is 1 hour (1:0:0). A timeout value of 0:0:1 disables the timer and closes the TCP connection immediately after all calls are cleared.

h323

Specifies the idle time after which H.245 (TCP) and H.323 (UDP) media connections close, between 0:0:0 and 1193:0:0. The default is 5 minutes (0:5:0). Because the same connection flag is set on both H.245 and H.323 media connections, the H.245 (TCP) connection shares the idle timeout with the H.323 (RTP and RTCP) media connection.

half-closed

Specifies the idle time after which a TCP half-closed connection will be freed, between 0:5:0 (for 9.1(1) and earlier) or 0:0:30 (for 9.1(2) and later) and 1193:0:0. The default is 10 minutes (0:10:0). Use 0 to never time out a connection.

icmp

Specifies the idle time for ICMP, between 0:0:2 and 1193:0:0 The default is 2 seconds (0:0:2).

inactivity

(Optional for uauth ) Requires uauth reauthentication after the inactivity timeout expires.

mgcp

Sets the idle time after which an MGCP media connection is removed, between 0:0:0 and 1193:0:0. The default is 5 minutes (0:5:0)

mgcp-pat

Sets the absolute interval after which an MGCP PAT translation is removed, between 0:0:0 and 1193:0:0. The default is 5 minutes (0:5:0).

pat-xlate

Specifies the idle time until a PAT translation slot is freed, between 0:0:30 and 0:5:0. The default is 30 seconds. You may want to increase the timeout if upstream routers reject new connections using a freed PAT port because the previous connection might still be open on the upstream device.

sip

Specifies the idle time after which a SIP control connection will be closed, between 0:5:0 and 1193:0:0. The default is 30 minutes (0:30:0). Use 0 to never time out a connection.

sip-disconnect

Specifies the idle time after which a SIP session is deleted if the 200 OK is not received for a CANCEL or a BYE message, between 0:0:1 and 1193:0:0. The default is 2 minutes (0:2:0).

sip-invite

(Optional) Specifies the idle time after which pinholes for PROVISIONAL responses and media xlates will be closed, between 0:1:0 and 1193:0:0. The default is 3 minutes (0:3:0).

sip_media

Specifies the idle time after which a SIP media connection will be closed, between 0:1:0 and 1193:0:0. The default is 2 minutes (0:2:0). Use 0 to never time out a connection.

The SIP media timer is used used for SIP RTP/RTCP with SIP UDP media packets, instead of the UDP inactivity timeout.

sip-provisional-media

Specifies timeout value for SIP provisional media connections, between 0:1:0 and 1193:0:0. The default is 2 minutes (0:2:0).

sunrpc

Specifies the idle time after which a SUNRPC slot will be closed, between 0:1:0 and 1193:0:0. The default is 10 minutes (0:10:0). Use 0 to never time out a connection.

tcp-proxy-reassembly

Configures the idle timeout after which buffered packets waiting for reassembly are dropped, between 0:0:10 and 1193:0:0. The default is 1 minute (0:1:0).

uauth

Specifies the duration before the authentication and authorization cache times out and the user has to reauthenticate the next connection, between 0:0:0 and 1193:0:0. The default is 5 minutes (0:5:0). The default timer is absolute ; you can set the timeout to occur after a period of inactivity by entering the inactivity keyword. The uauth duration must be shorter than the xlate duration. Set to 0 to disable caching. Do not use 0 if passive FTP is used for the connection or if the virtual http command is used for web authentication.

udp

Specifies the idle time until a UDP slot is freed, between 0:1:0 and 1193:0:0. The default is 2 minutes (0:2:0). Use 0 to never time out a connection.

xlate

Specifies the idle time until a translation slot is freed, between 0:1:0 and 1193:0:0. The default is 3 hours (3:0:0).

 
Defaults

The defaults are as follows:

  • conn hh : mm : ss is 1 hour ( 1:0:0 ).
  • floating-conn hh : mm : ss never times out ( 0 )
  • h225 hh : mm : ss is 1 hour ( 1:0:0 ).
  • h323 hh : mm : ss is 5 minutes ( 0:5:0 ).
  • half-closed hh : mm : ss is 10 minutes ( 0:10:0 ).
  • icmp hh:mm:ss is 2 seconds ( 0:0:2 )
  • mgcp hh:mm:ss is 5 minutes ( 0:5:0 ) .
  • mgcp-pat hh:mm:ss is 5 minutes ( 0:5:0 ) .
  • rpc hh : mm : ss is 5 minutes ( 0:5:0 ).
  • sip hh:mm: is 30 minutes ( 0:30:0 ).
  • sip-disconnect hh:mm:ss is 2 minutes ( 0:2:0 ).
  • sip-invite hh:mm:ss is 3 minutes ( 0:3:0 ).
  • sip_media hh:mm:ss is 2 minutes ( 0:2:0 ).
  • sip-provisional-media hh:mm:ss is 2 minutes ( 0:2:0 ).
  • sunrpc hh:mm:ss is 10 minutes ( 0:10:0 )
  • tcp-proxy-reassembly hh:mm:ss is 1 minute ( 0:1:0 )
  • uauth hh:mm:ss is 5 minutes ( 0:5:0 ) absolute .
  • udp hh : mm : ss is 2 minutes ( 0:02:0 ).
  • xlate hh : mm : ss is 3 hours ( 3:0:0 ).

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration mode

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.2(1)

The mgcp-pat, sip-disconnect, and sip-invite keywords were added.

7.2(4)/8.0(4)

The sip-provisional-media keyword was added.

7.2(5)/8.0(5)/8.1(2)/8.2(1)

The tcp-proxy-reassembly keyword was added.

8.2(5)/8.4(2)

The floating-conn keyword was added.

8.4(3)

The pat-xlate keyword was added.

9.1(2)

The minimum half-closed value was lowered to 30 seconds (0:0:30).

 
Usage Guidelines

The timeout command lets you set global timeouts. For some features, the set connection timeout command takes precedence for traffic identified in the command.

You can enter multiple keywords and values after the timeout command.

The connection timer ( conn ) takes precedence over the translation timer ( xlate ); the translation timer works only after all connections have timed out.

Examples

The following example shows how to configure the maximum idle time durations:

ciscoasa(config)# timeout uauth 0:5:0 absolute uauth 0:4:0 inactivity
ciscoasa(config)# show running-config timeout
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00
sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute uauth 0:04:00 inactivity
 

 
Related Commands

Command
Description

clear configure timeout

Clears the timeout configuration and resets it to the defaults.

set connection timeout

Sets connection timeouts using Modular Policy Framework.

show running-config timeout

Displays the timeout value of the designated protocol.

timeout (aaa-server host)

To configure the host-specific maximum response time, in seconds, allowed before giving up on establishing a connection with the AAA server, use the timeout command in aaa-server host mode. To remove the timeout value and reset the timeout to the default value of 10 seconds, use the no form of this command.

timeout seconds

no timeout

 
Syntax Description

seconds

Specifies the timeout interval (1-60 seconds) for the request. This is the time after which the ASA gives up on the request to the primary AAA server. If there is a standby AAA server, the ASA sends the request to the backup server.

 
Defaults

The default timeout value is 10 seconds.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

aaa-server host configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

This command is valid for all AAA server protocol types.

Use the timeout command to specify the length of time during which the ASA attempts to make a connection to a AAA server. Use the retry-interval command to specify the amount of time the ASA waits between connection attempts.

The timeout is the total amount of time that the ASA spends trying to complete a transaction with a server. The retry interval determines how often the communication is retried during the timeout period. Thus, if the retry interval is greater than or equal to the timeout value, you will see no retries. If you want to see retries, the retry interval musts be less than thte timeout value.

Examples

The following example configures a RADIUS AAA server named “svrgrp1” on host 1.2.3.4 to use a timeout value of 30 seconds, with a retry interval of 10 seconds. Thus, the ASA tries the communication attempt three times before giving up after 30 seconds.

ciscoasa(config)# aaa-server svrgrp1 protocol radius
ciscoasa(config-aaa-server-group)# aaa-server svrgrp1 host 1.2.3.4
ciscoasa(config-aaa-server-host)# timeout 30
ciscoasa(config-aaa-server-host)# retry-interval 10
ciscoasa(config-aaa-server-host)#
 

 
Related Commands

Command
Description

aaa-server host

Enters aaa server host configuration mode so you can configure AAA server parameters that are host specific.

clear configure aaa-server

Removes all AAA command statements from the configuration.

show running-config aaa

Displays the current AAA configuration values.

timeout (dns-server-group configuration mode)

To specify the amount of time to wait before trying the next DNS server, use the timeout command in dns-server-group configuration mode. To restore the default timeout, use the no form of this command.

timeout seconds

no timeout [ seconds ]

 
Syntax Description

seconds

Specifies the timeout in seconds between 1 and 30. The default is 2 seconds. Each time the ASA retries the list of servers, this timeout doubles. Use the retries command in dns-server-group configuration mode to configure the number of retries.

 
Defaults

The default timeout is 2 seconds.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.1(1)

This command was introduced.

Examples

The following example sets the timeout to 1 second for the DNS server group “dnsgroup1”:

ciscoasa(config)# dns server-group dnsgroup1
ciscoasa(config-dns-server-group)# dns timeout 1
 

 
Related Commands

Command
Description

clear configure dns

Removes all user-created DNS server-groups and resets the default server group’s attributes to the default values.

domain-name

Sets the default domain name.

retries

Specifies the number of times to retry the list of DNS servers when the ASA does not receive a response.

show running-config dns server-group

Shows the current running DNS server-group configuration.

timeout (gtp-map)

To change the inactivity timers for a GTP session, use the timeout command in GTP map configuration mode, which is accessed by using the gtp-map command. Use the no form of this command to set these intervals to their default values.

timeout { gsn | pdp-context | request | signaling | t3-response | tunnel } hh : mm : ss

no timeout { gsn | pdp-context | request | signaling | t3-response | tunnel } hh : mm : ss

 
Syntax Description

hh : mm : ss

This is the timeout where hh specifies the hour, mm specifies the minutes, ss specifies the seconds, and a colon ( : ) separates these three components. The value 0 means never tear down immediately.

gsn

Specifies the period of inactivity after which a GSN will be removed.

pdp-context

Specifies the maximum period of time allowed before beginning to receive the PDP context.

request

Specifies the the maximum period of time allowed before beginning to receive the GTP message.

signaling

Specifies the period of inactivity after which the GTP signaling will be removed.

t3-response

Specifies the maximum wait time for a response before a GTP connection is removed.

tunnel

Specifies the period of inactivity after which the GTP tunnel will be torn down.

 
Defaults

The default is 30 minutes for gsn , pdp-context , and signaling .

The default for request is 1 minute.

The default for tunnel is 1 hour (in the case where a Delete PDP Context Request is not received).

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

GTP map configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

The Packet Data Protocol (PDP) context is identified by the Tunnel Identifier (TID), which is a combination of IMSI and NSAPI. Each MS can have up to 15 NSAPIs, allowing it to create multiple PDP contexts each with a different NSAPI, based on application requirements for varied QoS levels.

A GTP tunnel is defined by two associated PDP Contexts in different GSN nodes and is identified with a Tunnel ID. A GTP tunnel is necessary to forward packets between an external packet data network and a mobile station user.

Examples

The following example sets a timeout value for the request queue of 2 minutes:

ciscoasa(config)# gtp-map gtp-policy
ciscoasa(config-gtpmap)# timeout request 00:02:00
 

 
Related Commands

Commands
Description

clear service-policy inspect gtp

Clears global GTP statistics.

debug gtp

Displays detailed information about GTP inspection.

gtp-map

Defines a GTP map and enables GTP map configuration mode.

inspect gtp

Applies a specific GTP map to use for application inspection.

show service-policy inspect gtp

Displays the GTP configuration.

timeout (radius-accounting)

To change the inactivity timers for RADIUS accounting users, use the timeout command in radius-accounting parameter configuration mode, which is accessed by using the inspect radius-accounting command. Use the no form of this command to set these intervals to their default values.

timeout users hh : mm : ss

no timeout users hh : mm : ss

 
Syntax Description

hh : mm : ss

This is the timeout where hh specifies the hour, mm specifies the minutes, ss specifies the seconds, and a colon ( : ) separates these three components. The value 0 means never tear down immediately. The default is one hour.

users

Specifies the timeout for users.

 
Defaults

The default timeout for users is one hour.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Radius-accounting parameter configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.2(1)

This command was introduced.

Examples

The following example sets a timeout value for the user of ten minutes:

hostname(config)# policy-map type inspect radius-accounting ra
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)# timeout user 00:10:00
 

 
Related Commands

Commands
Description

inspect radius-accounting

Sets inspection for RADIUS accounting.

parameters

Sets parameters for an inspection policy map.

timeout (sla monitor)

To set the amount of time the SLA operation waits for a response to the request packets, use the timeout command in SLA monitor protocol configuration mode. To restore the default value, use the no form of this command.

timeout milliseconds

no timeout

 
Syntax Description

milliseconds

0 to 604800000.

 
Defaults

The default timeout value is 5000 milliseconds.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Sla monitor protocol configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.2(1)

This command was introduced.

 
Usage Guidelines

Use the frequency command to set how often the SLA operation sends out the request packets and the timeout command to set how long the SLA operation waits to receive a response to those requests. The values specified for the timeout command cannot be greater than the value specified for the frequency command.

Examples

The following example configures an SLA operation with an ID of 123 and creates a tracking entry with the ID of 1 to track the reachability of the SLA. The frequency of the SLA operation is set to 10 seconds, the threshold to 2500 milliseconds, and the timeout value us set to 4000 milliseconds.

ciscoasa(config)# sla monitor 123
ciscoasa(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outside
ciscoasa(config-sla-monitor-echo)# threshold 2500
ciscoasa(config-sla-monitor-echo)# timeout 4000
ciscoasa(config-sla-monitor-echo)# frequency 10
ciscoasa(config)# sla monitor schedule 123 life forever start-time now
ciscoasa(config)# track 1 rtr 123 reachability
 

 
Related Commands

Command
Description

frequency

Specifies the rate at which the SLA operation repeats.

sla monitor

Defines an SLA monitoring operation.

timeout pinhole

To configure the timeout for DCERPC pinholes and override the global system pinhole timeout of two minutes, use the timeout pinhole command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode. To disable this feature, use the no form of this command.

timeout pinhole hh:mm:ss

no timeout pinhole

 
Syntax Description

hh:mm:ss

The timeout for pinhole connections. Value is between 0:0:1 and 1193:0:0.

 
Defaults

This command is disabled by default.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Parameters configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.2(1)

This command was introduced.

Examples

The following example shows how to configure the pinhole timeout for pin hole connections in a DCERPC inspection policy map:

ciscoasa(config)# policy-map type inspect dcerpc dcerpc_map
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)# timeout pinhole 0:10:00
 

 
Related Commands

Command
Description

class

Identifies a class map name in the policy map.

class-map type inspect

Creates an inspection class map to match traffic specific to an application.

policy-map

Creates a Layer 3/4 policy map.

show running-config policy-map

Display all current policy map configurations.

timers bgp

To adjust BGP network timers, use the timers bgp command in router configuration mode. To reset the BGP timing defaults, use the no form of this command.

timers bgp keepalive holdtime [min-holdtime]

no timers bgp keepalive holdtime [min-holdtime]

 
Syntax Description

keepalive

Frequency (in seconds) with which the Cisco IOS software sends keepalive messages to its peer. The default is 60 seconds. The range is from 0 to 65535.

holdtime

Interval (in seconds) after not receiving a keepalive message that the software declares a peer dead. The default is 180 seconds. The range is from 0 to 65535.

min-holdtime

(Optional) Interval (in seconds) specifying the minimum acceptable hold-time from a BGP neighbor. The minimum acceptable hold-time must be less than, or equal to, the interval specified in the holdtime argument. The range is from 0 to 65535.

 
Defaults

keepalive: 60 seconds
holdtime: 180 seconds

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Router configuration

  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

9.2(1)

This command was introduced.

 
Usage Guidelines

When configuring the holdtime argument for a value of less than twenty seconds, the following warning is displayed: A hold time of less than 20 seconds increases the chances of peer flapping

If the minimum acceptable hold-time interval is greater than the specified hold-time, a notification is displayed: Minimum acceptable hold time should be less than or equal to the configured hold time


Note When the minimum acceptable hold-time is configured on a BGP router, a remote BGP peer session is established only if the remote peer is advertising a hold-time that is equal to, or greater than, the minimum acceptable hold-time interval. If the minimum acceptable hold-time interval is greater than the configured hold-time, the next time the remote session tries to establish, it will fail and the local router will send a notification stating “unacceptable hold time.”


Examples

The following example changes the keepalive timer to 70 seconds, the hold-time timer to 130 seconds, and the minimum acceptable hold-time interval to 100 seconds:

ciscoasa(config)# router bgp 45000
ciscoasa(config-router)# timers bgp 70 130 100

ime-range

To enter time-range configuration mode and define a time range that you can attach to traffic rules, or an action, use the time-range command in global configuration mode. To disable, use the no form of this command.

time-range name

no time-range name

 
Syntax Description

name

Name of the time range. The name must be 64 characters or less.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

Creating a time range does not restrict access to the device. The time-range command defines the time range only. After a time range is defined, you can attach it to traffic rules or an action.

To implement a time-based ACL, use the time-range command to define specific times of the day and week. Then use the with the access-list extended time-range command to bind the time range to an ACL.

The time range relies on the system clock of the ASA; however, the feature works best with NTP synchronization.

Examples

The following example creates a time range named “New_York_Minute” and enters time range configuration mode:

ciscoasa(config)# time-range New_York_Minute
ciscoasa(config-time-range)#
 

After you have created a time range and entered time-range configuration mode, you can define time range parameters with the absolute and periodic commands. To restore default settings for the time-range command absolute and periodic keywords, use the default command in time-range configuration mode.

To implement a time-based ACL, use the time-range command to define specific times of the day and week. Then use the with the access-list extended command to bind the time range to an ACL. The following example binds an ACL named “Sales” to a time range named “New_York_Minute”:

ciscoasa(config)# access-list Sales line 1 extended deny tcp host 209.165.200.225 host 209.165.201.1 time-range New_York_Minute
ciscoasa(config)#
 

See the access-list extended command for more information about ACLs.

 
Related Commands

Command
Description

absolute

Defines an absolute time when a time range is in effect.

access-list extended

Configures a policy for permitting or denying IP traffic through the ASA.

default

Restores default settings for the time-range command absolute and periodic keywords.

periodic

Specifies a recurring (weekly) time range for functions that support the time-range feature.

timeout secure-phones

To configure the idle timeout after which the secure-phone entry is removed from the Phone Proxy database, use the timeout secure-phones command in phone-proxy configuration mode. To set the timeout value back to the default of 5 minutes, use the no form of this command.

timeout secure-phones hh:mm:ss

no timeout secure-phones hh:mm:ss

 
Syntax Description

hh:mm:ss

Specifies the idle timeout after which the object is removed. The default is 5 minutes.

 
Defaults

The default value for secure phone timeout is 5 minutes.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes

 
Command History

Release
Modification

8.0(4)

The command was introduced.

 
Usage Guidelines

Since secure phones always request a CTL file upon bootup, the Phone Proxy creates a database that marks the phone as secure. The entries in the secure phone database are removed after a specified configured timeout (via the timeout secure-phones command). The entry’s timestamp is updated for each registration refresh the Phone Proxy receives for SIP phones and KeepAlives for SCCP phones.

The default value for the timeout secure-phones command is 5 minutes. Specify a value that is greater than the maximum timeout value for SCCP KeepAlives and SIP Register refresh. For example, if the SCCP Keepalives are configured for 1 minute intervals and the SIP Register Refresh is configured for 3 minutes, configure this timeout value greater than 3 minutes.

Examples

The following example shows the use of the timeout secure-phones command to configure the Phone Proxy to timeout entries in the secure phone database after 3 minutes:

ciscoasa(config)# phone-proxy asa_phone_proxy
ciscoasa(config-phone-proxy)# tftp-server address 192.168.1.2 in interface outside
ciscoasa(config-phone-proxy)# tftp-server address 192.168.1.3 in interface outside
ciscoasa(config-phone-proxy)# media-termination address 192.168.1.4
ciscoasa(config-phone-proxy)# tls-proxy asa_tlsp
ciscoasa(config-phone-proxy)# ctl-file asactl
ciscoasa(config-phone-proxy)# timeout secure-phones 00:03:00
 

 
Related Commands

Command
Description

phone-proxy

Configures the Phone Proxy instance.

timers lsa arrival

To set the minimum interval at which the ASA accepts the same LSA from OSPFv3 neighbors, use the timers lsa arrival command in IPv6 router configuration mode. To restore the default value, use the no form of this command.

timers lsa arrival milliseconds

no timers lsa arrival milliseconds

 
Syntax Description

milliseconds

Specifies the minimum delay in milliseconds that must pass between acceptance of the same LSA that is arriving between neighbors. Valid values are from 0 to 600,000 milliseconds.

 
Defaults

The default is 1000 millliseconds.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

IPv6 router configuration

  • Yes

  • Yes

 
Command History

Release
Modification

9.0(1)

This command was introduced.

 
Usage Guidelines

Use this command to indicate the minimum interval that must pass between acceptance of the same LSA that is arriving from neighbors.

Examples

The following example sets the minimum interval for accepting the same LSA at 2000 milliseconds:

ciscoasa(config-if)# ipv6 router ospf 1
ciscoasa(config-rtr)# log-adjacency-changes
ciscoasa(config-rtr)# timers lsa arrival 2000
 

 
Related Commands

Command
Description

ipv6 router ospf

Enters router configuration mode for OSPFv3.

show ipv6 ospf

Displays general information about the OSPFv3 routing processes.

timers pacing flood

Configures LSA flood packet pacing for OSPFv3 routing processes.

timers lsa-group-pacing (OSPFv2)

To specify the interval at which OSPF link-state advertisements (LSAs) are collected into a group and refreshed, checksummed, or aged, use the timers lsa-group-pacing command in router configuration mode. To restore the default value, use the no form of this command.

timers lsa-group-pacing seconds

no timers lsa-group-pacing [ seconds ]

 
Syntax Description

seconds

The interval at which OSPF link-state advertisements (LSAs) are collected into a group and refreshed, checksummed, or aged. Valid values are from 10 to 1800 seconds.

 
Defaults

The default interval is 240 seconds.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Router configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

To change the interval at which the OSPF link-state advertisements (LSAs) are collected into a group and refreshed, checksummed, or aged, use the timers lsa-group-pacing seconds command. To return to the default timer values, use the no timers lsa-group-pacing command.

Examples

The following example sets the group processing interval of LSAs to 500 seconds:

ciscoasa(config-rtr)# timers lsa-group-pacing 500
ciscoasa(config-rtr)#
 

 
Related Commands

Command
Description

router ospf

Enters router configuration mode.

show ospf

Displays general information about the OSPF routing processes.

timers spf

Specifies the shortest path first (SPF) calculation delay and hold time

timers pacing flood (OSPFv3)

To configure LSA flood packet pacing, use the timers pacing flood command in IPv6 router configuration mode. To restore the default flood packet pacing value, use the no form of this command.

timers pacing flood milliseconds

no timers pacing flood milliseconds

 
Syntax Description

milliseconds

Specifies the time in milliseconds at which LSAs in the flooding queue are paced in-between updates. The configurable range is from 5 to 100 milliseconds.

 
Defaults

The default is 33 millliseconds.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

IPv6 router configuration

  • Yes

  • Yes

 
Command History

Release
Modification

9.0(1)

This command was introduced.

 
Usage Guidelines

Use this command to configure LSA flood packet pacing.

Examples

The following example configures LSA flood packet pacing updates to occur in 20-millisecond intervals for OSPFv3:

ciscoasa(config-if)# ipv6 router ospf 1
ciscoasa(config-rtr)# timers pacing flood 20
 

 
Related Commands

Command
Description

ipv6 router ospf

Enters IPv6 router configuration mode.

timers pacing lsa-group

Specifies the interval at which OSPFv3 LSAs are collected into a group and refreshed, check summed, or aged.

timers pacing lsa-group (OSPFv3)

To specify the interval at which OSPFv3 LSAs are collected into a group and refreshed, check summed, or aged, use the timers pacing lsa-group command in IPv6 router configuration mode. To restore the default value, use the no form of this command.

timers pacing lsa-group seconds

no timers pacing lsa-group [ seconds ]

 
Syntax Description

seconds

Specifies the number of seconds in the interval at which LSAs are collected into a group and refreshed, check summed, or aged. Valid values are from 10 to 1800 seconds.

 
Defaults

The default interval is 240 seconds.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

IPv6 router configuration

  • Yes

  • Yes

 
Command History

Release
Modification

9.0(1)

This command was introduced.

 
Usage Guidelines

Use this command to indicate the interval at which the OSPFv3 LSAs are collected into a group and refreshed, check summed, or aged.

Examples

The following example configures OSPFv3 group packet pacing updates between LSA groups to occur in 300-seconds intervals for OSPFv3 routing process 1:

ciscoasa(config-if)# ipv6 router ospf 1
ciscoasa(config-rtr)# timers pacing lsa-group 300
 

 
Related Commands

Command
Description

ipv6 router ospf

Enters IPv6 router configuration mode.

show ipv6 ospf

Displays general information about the OSPFv3 routing processes.

timers pacing flood

Configures LSA flood packet pacing for OSPFv3 routing processes.

timers pacing retransmission

Configures LSA retransmission packet pacing.

timers pacing retransmission (OSPFv3)

To configure link-state advertisement (LSA) retransmission packet pacing, use the timers pacing retransmission command in router configuration mode. To restore the default retransmission packet pacing value, use the no form of this command.

timers pacing retransmission milli seconds

no timers pacing retransmission

 
Syntax Description

milliseconds

Specifies the timeinterval in milliseconds at which LSAs in the retransmission queue are paced. Valid values are from 5 milliseconds to 200 milliseconds.

 
Defaults

The default interval is 66 milliseconds.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

IPv6 router configuration

  • Yes

  • Yes

 
Command History

Release
Modification

9.2(1)

This command was introduced.

 
Usage Guidelines

Configuring Open Shortest Path First (OSPF) retransmission pacing timers allow you to control interpacket spacing between consecutive link-state update packets in the OSPF retransmission queue. This command allows you to control the rate at which LSA updates occur so that high CPU or buffer utilization that can occur when an area is flooded with a very large number of LSAs can be reduced. The default settings for OSPF packet retransmission pacing timers are suitable for the majority of OSPF deployments.


Note Do not change the packet retransmission pacing timers unless all other options to meet OSPF packet flooding requirements have been exhausted. Specifically, network operators should prefer summarization, stub area usage, queue tuning, and buffer tuning before changing the default flooding timers.


Furthermore, there are no guidelines for changing timer values; each OSPF deployment is unique and should be considered on a case-by-case basis. The network operator assumes risks associated with changing the default packet retransmission pacing timer values.

Examples

The following example configures LSA flood pacing updates to occur in 55-millisecond intervals for OSPF routing process 1:

hostname(config)# router ospf 1
hostname(config-router)# timers pacing retransmission 55
 

 
Related Commands

Command
Description

ipv6 router ospf

Enters IPv6 router configuration mode.

show ipv6 ospf

Displays general information about the OSPFv3 routing processes.

timers pacing flood

Configures LSA flood packet pacing for OSPFv3 routing processes.

timers spf

To specify the shortest path first (SPF) calculation delay and hold time, use the timers spf command in router configuration mode. To restore the default values, use the no form of this command.

timers spf delay holdtime

no timers spf [ delay holdtime ]

 
Syntax Description

delay

Specifies the delay time between when OSPF receives a topology change and when it starts a shortest path first (SPF) calculation in seconds, from 1 to 65535.

holdtime

The hold time between two consecutive SPF calculations in seconds; valid values are from 1 to 65535.

 
Defaults

The defaults are as follows:

  • delay is 5 seconds.
  • holdtime is 10 seconds.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Router configuration

  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

9.0(1)

Multiple context mode is supported.

 
Usage Guidelines

To configure the delay time between when the OSPF protocol receives a topology change and when it starts a calculation, and the hold time between two consecutive SPF calculations, use the timers spf command. To return to the default timer values, use the no timers spf command.

Examples

The following example sets the SPF calculation delay to 10 seconds and the SPF calculation hold time to 20 seconds:

ciscoasa(config-router)# timers spf 10 20
ciscoasa(config-router)#
 

 
Related Commands

Command
Description

router ospf

Enters router configuration mode.

show ospf

Displays general information about the OSPF routing processes.

timers lsa-group-pacing

Specifies the interval at which OSPF link-state advertisements (LSAs) are collected and refreshed, checksummed, or aged.

timers throttle lsa

To set rate-limiting values for Open Shortest Path First (OSPF) link-state advertisement (LSA) generation, use the timers throttle lsa command in router configuration mode. To restore the default values, use the no form of this command.

To configure LSA or SPF OSPFv3 throttling, use the timers throttle command in IPv6 router configuration mode. To remove the throttling configuration, use the no form of this command.

timers throttle [ lsa | spf ] milliseconds1 milliseconds2 milliseconds3

timers throttle lsa start-interval hold-interval max-interval

no timers throttle [ lsa | spf ]

no timers throttle lsa

 
Syntax Description

lsa

Configures OSPFv3 LSA throttling.

milliseconds1

start-interval

Specifies the delay in milliseconds to generate the first occurrence of the LSA. Specifies the delay in milliseconds to receive a change to the SPF calculation.

Specifies the minimum delay in milliseconds to generate the first occurrence of LSAs.

Note The first instance of LSA is generated immediately after a local OSPF topology change. The next LSA is generated only after start-interval.

Valid values are between 0 and 0 to 600,000 milliseconds. The default value is 0 milliseconds; the LSA is sent immediately.

milliseconds2

hold-interval

Specifies the maximum delay in milliseconds to originate the same LSA. Specifies the delay in milliseconds between the first and second SPF calculations.

Specifies the minimum delay in milliseconds to generate the LSA again.This value is used to calculate the subsequent rate limiting times for LSA generation. Valid values are between 1 and 600,000 milliseconds. The default value is 5000 milliseconds.

milliseconds3

max-interval

Specifies the minimum delay in milliseconds to originate the same LSA. Specifies the maximum wait time in milliseconds for SPF calculations.

Specifies the maximum delay in milliseconds to generate the LSA again. Valid values are between 1 and 600,000 milliseconds. The default value is 5000 milliseconds.

spf

Configures OSPFv3 SPF throttling.

 
Defaults

LSA throttling:

  • For milliseconds1 , the default value is 0 milliseconds.
  • For millseconds2 , the default value is 5000 milliseconds.
  • For milleseconds3 , the default value is 5000 milliseconds.

SPF throttling:

  • For milliseconds1 , the default value is 5000 milliseconds.
  • For millseconds2 , the default value is 10000 milliseconds.
  • For milleseconds3 , the default value is 10000 milliseconds.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

IPv6 router configuration

  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

9.0(1)

This command was introduced.

 
Usage Guidelines

LSA and SPF throttling provide a dynamic mechanism to slow down LSA updates in OSPFv3 during times of network instability and allow faster OSPFv3 convergence by providing LSA rate limiting in milliseconds.

For LSA throttling, if the minimum or maximum time is less than the first occurrence value, then OSPFv3 automatically corrects to the first occurrence value. Similarly, if the maximum delay specified is less than the minimum delay, then OSPFv3 automatically corrects to the minimum delay value.

For SPF throttling, if milliseconds2 or milliseconds3 is less than milliseconds1 , then OSPFv3 automatically corrects to the milliseconds1 value. Similarly, if milliseconds3 is less than milliseconds2 , then OSPFv3 automatically corrects to the milliseconds2 value.

Examples

The following example configures OSPFv3 LSA throttling in milleseconds:

ciscoasa(config)# ipv6 router ospf 10
ciscoasa(config-rtr)# timers throttle lsa 100 4000 5000
 

For LSA throttling, the following example shows the automatic correction that occurs if the maximum delay value specified is less than the minimum delay value:

ciscoasa(config)# ipv6 router ospf 10
ciscoasa(config-rtr)# timers throttle lsa 100 50 50
% OSPFv3: Throttle timers corrected to: 100 100 100
ciscoasa(config-rtr)# show running-config ipv6
ipv6 router ospf 10
timers throttle lsa 100 100 100
 

The following example configures OSPFv3 SPF throttling in milleseconds:

ciscoasa(config)# ipv6 router ospf 10
ciscoasa(config-rtr)# timers throttle spf 6000 12000 14000
 

For SPF throttling, the following example shows the automatic correction that occurs if the maximum delay value specified is less than the minimum delay value:

ciscoasa(config)# ipv6 router ospf 10
ciscoasa(config-rtr)# timers throttle spf 100 50 50
% OSPFv3: Throttle timers corrected to: 100 100 100
ciscoasa(config-rtr)# show running-config ipv6
ipv6 router ospf 10
timers throttle spf 100 100 100
 

 
Related Commands

Command
Description

ipv6 router ospf

Enters IPv6 router configuration mode.

show ipv6 ospf

Displays general information about the OSPFv3 routing processes.

timers lsa-group-pacing

Specifies the interval at which OSPFv3 LSAs are collected and refreshed, checksummed, or aged.

timers throttle lsa

To set rate-limiting values for Open Shortest Path First (OSPF) link-state advertisement (LSA) generation, use the timers throttle lsa command in router configuration mode. To restore the default values, use the no form of this command.

timers throttle lsa start-interval hold-interval max-interval

no timers throttle lsa

 
Syntax Description

start-interval

Specifies the minimum delay in milliseconds to generate the first occurrence of LSAs.

Note The first instance of LSA is generated immediately after a local OSPF topology change. The next LSA is generated only after start-interval.

Valid values are between 0 and 0 to 600,000 milliseconds. The default value is 0 milliseconds; the LSA is sent immediately.

hold-interval

Specifies the minimum delay in milliseconds to generate the LSA again.This value is used to calculate the subsequent rate limiting times for LSA generation. Valid values are between 1 and 600,000 milliseconds. The default value is 5000 milliseconds.

max-interval

Specifies the maximum delay in milliseconds to generate the LSA again. Valid values are between 1 and 600,000 milliseconds. The default value is 5000 milliseconds.

 
Defaults

LSA throttling:

  • For start-interval , the default value is 0 milliseconds.
  • For hold-interval , the default value is 5000 milliseconds.
  • For max-interval , the default value is 5000 milliseconds.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Router configuration

  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

9.2(1)

This command was introduced.

 
Usage Guidelines

The ‘same LSA’ is defined as an LSA instance that contains the same LSA ID number, LSA type, and advertising router ID. It is recommended that you keep the milliseconds value of the timers lsa arrival command less than or equal to the hold-interval value of the timers throttle lsa command.

Examples

The following example configures OSPFv3 LSA throttling in milleseconds:

ciscoasa(config)# ipv6 router ospf 10
ciscoasa(config-rtr)# timers throttle lsa 100 4000 5000
 

For LSA throttling, the following example shows the automatic correction that occurs if the maximum delay value specified is less than the minimum delay value:

ciscoasa(config)# ipv6 router ospf 10
ciscoasa(config-rtr)# timers throttle lsa 100 50 50
% OSPFv3: Throttle timers corrected to: 100 100 100
ciscoasa(config-rtr)# show running-config ipv6
ipv6 router ospf 10
timers throttle lsa 100 100 100
 

The following example configures OSPFv3 SPF throttling in milleseconds:

ciscoasa(config)# ipv6 router ospf 10
ciscoasa(config-rtr)# timers throttle spf 6000 12000 14000
 

For SPF throttling, the following example shows the automatic correction that occurs if the maximum delay value specified is less than the minimum delay value:

ciscoasa(config)# ipv6 router ospf 10
ciscoasa(config-rtr)# timers throttle spf 100 50 50
% OSPFv3: Throttle timers corrected to: 100 100 100
ciscoasa(config-rtr)# show running-config ipv6
ipv6 router ospf 10
timers throttle spf 100 100 100
 

 
Related Commands

Command
Description

ipv6 router ospf

Enters IPv6 router configuration mode.

show ipv6 ospf

Displays general information about the OSPFv3 routing processes.

timers lsa-group-pacing

Specifies the interval at which OSPFv3 LSAs are collected and refreshed, checksummed, or aged.

title

To customize the title of the WebVPN page displayed to WebVPN users when they connect to the security appliance, use the title command from webvpn customization mode:

title { text | style } value

[ no ] title { text | style } value

To remove the command from the configuration and cause the value to be inherited, use the no form of the command.

 
Syntax Description

text

Specifies you are changing the text.

style

Specifies you are changing the style.

value

The actual text to display (maximum 256 characters), or Cascading Style Sheet (CSS) parameters (maximum 256 characters).

 
Defaults

The default title text is “WebVPN Service”.

The default title style is:

background-color:white;color:maroon;border-bottom:5px groove #669999;font-size:larger;
vertical-align:middle;text-align:left;font-weight:bold

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Webvpn customization

  • Yes

  • Yes

 
Command History

Release
Modification

7.1(1)

This command was introduced.

 
Usage Guidelines

To have no title, use the title text command without a value argument.

The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.

Here are some tips for making the most common changes to the WebVPN pages—the page colors:

  • You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML.
  • RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others.
  • HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue.

Note To easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities.


Examples

In the following example, the title is customized with the text “Cisco WebVPN Service”:

ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# customization cisco
ciscoasa(config-webvpn-custom)# title text Cisco WebVPN Service
 

 
Related Commands

Command
Description

logo

Customizes the logo on the WebVPN page.

page style

Customizes the WebVPN page using Cascading Style Sheet (CSS) parameters.