Table Of Contents

tcp-map through title Commands

tcp-map

tcp-options

telnet

telnet timeout

terminal

terminal pager

terminal width

test aaa-server

test aaa-server ad-agent

test dynamic-access-policy attributes

test dynamic-access-policy execute

test regex

test sso-server

text-color

tftp-server

tftp-server address

threat-detection basic-threat

threat-detection rate

threat-detection scanning-threat

threat-detection statistics

threshold

ticket

timeout

timeout (aaa-server host)

timeout (dns-server-group configuration mode)

timeout (gtp-map)

timeout (radius-accounting)

timeout (sla monitor)

timeout pinhole

time-range

timeout secure-phones

timers lsa arrival

timers lsa-group-pacing (OSPFv2)

timers pacing flood (OSPFv3)

timers pacing lsa-group (OSPFv3)

timers spf

timers throttle

title

tcp-map through title Commands

---

tcp-map

To define a set of TCP normalization actions, use the tcp-map command in global configuration mode. The TCP normalization feature lets you specify criteria that identify abnormal packets, which the ASA drops when they are detected. To remove the TCP map, use the no form of this command.

tcp-map map_name

no tcp-map map_name

Syntax Description

map_name

Specifies the TCP map name.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.
7.2(4)/8.0(4)	The invalid-ack, seq-past-window, and synack-data subcommands were added.

Usage Guidelines

This feature uses Modular Policy Framework. First define the TCP normalization actions you want to take using the tcp-map command. The tcp-map command enters tcp-map configuration mode, where you can enter one or more commands to define the TCP normalization actions. Then define the traffic to which you want to apply the TCP map using the class-map command. Enter the policy-map command to define the policy, and enter the class command to reference the class map. In class configuration mode, enter the set connection advanced-options command to reference the TCP map. Finally, apply the policy map to an interface using the service-policy command. For more information about how Modular Policy Framework works, see the CLI configuration guide.

The following commands are available in tcp-map configuration mode:

check-retransmission	Enables and disables the retransmit data checks.
checksum-verification	Enables and disable checksum verification.
exceed-mss	Allows or drops packets that exceed MSS set by peer.
invalid-ack	Sets the action for packets with an invalid ACK.
queue-limit	Configures the maximum number of out-of-order packets that can be queued for a TCP connection. This command is only available on the ASA 5500 series adaptive ASA. On the PIX 500 series ASA, the queue limit is 3 and cannot be changed.
reserved-bits	Sets the reserved flags policy in the ASA.
seq-past-window	Sets the action for packets that have past-window sequence numbers, namely the sequence number of a received TCP packet is greater than the right edge of the TCP receiving window.
synack-data	Sets the action for TCP SYNACK packets that contain data.
syn-data	Allows or drops SYN packets with data.
tcp-options	Allows or clears the selective-ack, timestamps, or window-scale TCP options.
ttl-evasion-protection	Enables or disables the TTL evasion protection offered by the ASA.
urgent-flag	Allows or clears the URG pointer through the ASA.
window-variation	Drops a connection that has changed its window size unexpectedly.

Examples

For example, to allow urgent flag and urgent offset packets for all traffic sent to the range of TCP ports between the well known FTP data port and the Telnet port, enter the following commands:

hostname(config)# tcp-map tmap

hostname(config-tcp-map)# urgent-flag allow

hostname(config-tcp-map)# class-map urg-class

hostname(config-cmap)# match port tcp range ftp-data telnet

hostname(config-cmap)# policy-map pmap

hostname(config-pmap)# class urg-class

hostname(config-pmap-c)# set connection advanced-options tmap

hostname(config-pmap-c)# service-policy pmap global

Related Commands

Command	Description
class (policy-map)	Specifies a class map to use for traffic classification.
clear configure tcp-map	Clears the TCP map configuration.
policy-map	Configures a policy; that is, an association of a traffic class and one or more actions.
show running-config tcp-map	Displays the information about the TCP map configuration.
tcp-options	Allows or clears the selective-ack, timestamps, or window-scale TCP options.

tcp-options

To allow or clear the TCP options through the ASA, use the tcp-options command in tcp-map configuration mode. To remove this specification, use the no form of this command.

tcp-options {selective-ack | timestamp | window-scale} {allow | clear}

no tcp-options {selective-ack | timestamp | window-scale} {allow | clear}

tcp-options range lower upper {allow | clear | drop}

no tcp-options range lower upper {allow | clear | drop}

Syntax Description

allow	Allows the TCP options through the TCP normalizer.
clear	Clears the TCP options through the TCP normalizer and allows the packet.
drop	Drops the packet.
lower	Lower bound ranges (6-7) and (9-255).
selective-ack	Sets the selective acknowledgement mechanism (SACK) option. The default is to allow the SACK option.
timestamp	Sets the timestamp option. Clearing the timestamp option will disable PAWS and RTT. The default is to allow the timestamp option.
upper	Upper bound range (6-7) and (9-255).
window-scale	Sets the window scale mechanism option. The default is to allow the window scale mechanism option.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Tcp-map configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the new TCP map using the policy-map command. Activate TCP inspection with service-policy commands.

Use the tcp-map command to enter tcp-map configuration mode. Use the tcp-options command in tcp-map configuration mode to clear selective-acknowledgement, window-scale, and timestamp TCP options. You can also clear or drop packets with options that are not very well defined.

Examples

The following example shows how to drop all packets with TCP options in the ranges of 6-7 and 9-255:

hostname(config)# access-list TCP extended permit tcp any any

hostname(config)# tcp-map tmap

hostname(config-tcp-map)# tcp-options range 6 7 drop

hostname(config-tcp-map)# tcp-options range 9 255 drop

hostname(config)# class-map cmap

hostname(config-cmap)# match access-list TCP

hostname(config)# policy-map pmap

hostname(config-pmap)# class cmap

hostname(config-pmap)# set connection advanced-options tmap

hostname(config)# service-policy pmap global

Related Commands

Command	Description
class	Specifies a class map to use for traffic classification.
policy-map	Configures a policy; that is, an association of a traffic class and one or more actions.
set connection	Configures connection values.
tcp-map	Creates a TCP map and allows access to tcp-map configuration mode.

telnet

To allow Telnet access to an interface, use the telnet command in global configuration mode. To remove Telnet access, use the no form of this command.

telnet {ipv4_address mask | ipv6_address/prefix} interface_name

no telnet {ipv4_address mask | ipv6_address/prefix} interface_name

Syntax Description

interface_name	Specifies the name of the interface on which to allow Telnet. You cannot enable Telnet on the lowest security interface unless you use Telnet in a VPN tunnel.
ipv4_address mask	Specifies the IPv4 address of a host or network authorized to Telnet to the ASA, and the subnet mask.
ipv6_address/prefix	Specifies the IPv6 address/prefix authorized to Telnet to the ASA.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.
9.0(2), 9.1(2)	The default password, "cisco," has been removed; you must actively set a login password using the password command.

Usage Guidelines

The telnet command lets you specify which hosts can access the ASA CLI with Telnet. You can enable Telnet to the ASA on all interfaces. However, You cannot use Telnet to the lowest security interface unless you use Telnet inside a VPN tunnel.

Use the password command to set a password for Telnet access to the console. Use the who command to view which IP addresses are currently accessing the ASA console. Use the kill command to terminate an active Telnet console session.

If you use the aaa authentication telnet console command, Telnet console access must be authenticated with an authentication server.

Examples

This example shows how to permit hosts 192.168.1.3 and 192.168.1.4 to access the ASA CLI through Telnet. In addition, all the hosts on the 192.168.2.0 network are given access.

hostname(config)# telnet 192.168.1.3 255.255.255.255 inside

hostname(config)# telnet 192.168.1.4 255.255.255.255 inside

hostname(config)# telnet 192.168.2.0 255.255.255.0 inside

hostname(config)# show running-config telnet

192.168.1.3 255.255.255.255 inside

192.168.1.4 255.255.255.255 inside

192.168.2.0 255.255.255.0 inside

This example shows a Telnet console login session (the password does not display when entered):

hostname# passwd: cisco

Welcome to the XXX

...

Type help or `?' for a list of available commands.

hostname>

You can remove individual entries with the no telnet command or all telnet command statements with the clear configure telnet command:

hostname(config)# no telnet 192.168.1.3 255.255.255.255 inside

hostname(config)# show running-config telnet

192.168.1.4 255.255.255.255 inside

192.168.2.0 255.255.255.0 inside

hostname(config)# clear configure telnet

Related Commands

Command	Description
clear configure telnet	Removes a Telnet connection from the configuration.
kill	Terminates a Telnet session.
show running-config telnet	Displays the current list of IP addresses that are authorized to use Telnet connections to the ASA.
telnet timeout	Sets the Telnet timeout.
who	Displays active Telnet administration sessions on the ASA.

telnet timeout

To set the Telnet idle timeout, use the telnet timeout command in global configuration mode. To restore the default timeout, use the no form of this command.

telnet timeout minutes

no telnet timeout minutes

Syntax Description

minutes

Number of minutes that a Telnet session can be idle before being closed by the ASA. Valid values are from 1 to 1440 minutes. The default is 5 minutes.

Defaults

By default, Telnet sessions left idle for five minutes are closed by the ASA.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Use the telnet timeout command to set the maximum time that a console Telnet session can be idle before being logged off by the ASA.

Examples

This example shows how to change the maximum session idle duration:

hostname(config)# telnet timeout 10

hostname(config)# show running-config telnet timeout

telnet timeout 10 minutes

Related Commands

Command	Description
clear configure telnet	Removes a Telnet connection from the configuration.
kill	Terminates a Telnet session.
show running-config telnet	Displays the current list of IP addresses that are authorized to use Telnet connections to the ASA.
telnet	Enables Telnet access to the ASA.
who	Displays active Telnet administration sessions on the ASA.

terminal

To allow syslog messages to show in the current Telnet session, use the terminal monitor command in privileged EXEC mode. To disable syslog messages, use the no form of this command.

terminal {monitor | no monitor}

Syntax Description

monitor	Enables the display of syslog messages in the current Telnet session.
no monitor	Disables the display of syslog messages in the current Telnet session.

Defaults

Syslog messages are disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Examples

This example shows how to display and disable syslog messages in the current session:

hostname# terminal monitor

hostname# terminal no monitor

Related Commands

Command	Description
clear configure terminal	Clears the terminal display width setting.
pager	Sets the number of lines to display in a Telnet session before the "---more---" prompt. This command is saved to the configuration.
show running-config terminal	Displays the current terminal settings.
terminal pager	Sets the number of lines to display in a Telnet session before the "---more---" prompt. This command is not saved to the configuration.
terminal width	Sets the terminal display width in global configuration mode.

terminal pager

To set the number of lines on a page before the "---More---"192.168.1.3 255.255.255.255 inside prompt appears for Telnet sessions, use the terminal pager command in privileged EXEC mode.

terminal pager [lines] lines

Syntax Description

[lines] lines

Sets the number of lines on a page before the "---More---"192.168.1.4 255.255.255.255 inside prompt appears. The default is 24 lines; 0 means no page limit. The range is 0 through 2147483647 lines. The lines keyword is optional, and the command is the same with or without it.

Defaults

The default is 24 lines.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

This command changes the pager line setting only for the current Telnet session. To save a new default pager setting to the configuration, use the pager command.

If you use Telnet to access the admin context, then the pager line setting follows your session when you change to other contexts, even if the pager command in a given context has a different setting. To change the current pager setting, enter the terminal pager command with a new setting, or you can enter the pager command in the current context. In addition to saving a new pager setting to the context configuration, the pager command applies the new setting to the current Telnet session.

Examples

The following example changes the number of lines displayed to 20:

hostname# terminal pager 20

Related Commands

Command	Description
clear configure terminal	Clears the terminal display width setting.
pager	Sets the number of lines to display in a Telnet session before the "---More---" prompt. This command is saved to the configuration.
show running-config terminal	Displays the current terminal settings.
terminal	Allows syslog messsages to display in the Telnet session.
terminal width	Sets the terminal display width in global configuration mode.

terminal width

To set the width for displaying information during console sessions, use the terminal width command in global configuration mode. To disable, use the no form of this command.

terminal width columns

no terminal width columns

Syntax Description

columns

Specifies the terminal width in columns. The default is 80. The range is 40 to 511.

Defaults

The default display width is 80 columns.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Examples

This example shows how to terminal display width to 100 columns:

hostname# terminal width 100

Related Commands

Command	Description
clear configure terminal	Clears the terminal display width setting.
show running-config terminal	Displays the current terminal settings.
terminal	Sets the terminal line parameters in privileged EXEC mode.

test aaa-server

To check whether the ASA can authenticate or authorize users with a particular AAA server, use the test aaa-server command in privileged EXEC mode. Failure to reach the AAA server may be due to incorrect configuration on the ASA, or the AAA server may be unreachable for other reasons, such as restrictive network configurations or server downtime.

test aaa-server {authentication server_tag [host ip_address] [username username] [password password] | authorization server_tag [host ip_address] [username username][ad-agent]}

Syntax Description

ad-agent	Tests connectivity to the AAA AD agent server.
authentication	Tests a AAA server for authentication capability.
authorization	Tests a AAA server for legacy VPN authorization capability.
host ip_address	Specifies the server IP address. If you do not specify the IP address in the command, you are prompted for it.
password password	Specifies the user password. If you do not specify the password in the command, you are prompted for it.
server_tag	Specifies the AAA server tag as set by the aaa-server command.
username username	Specifies the username of the account used to test the AAA server settings. Make sure the username exists on the AAA server; otherwise, the test will fail. If you do not specify the username in the command, you are prompted for it.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
7.0(4)	This command was introduced.
8.4(2)	The ad-agent keyword was added.

Usage Guidelines

The test aaa-server command lets you verify that the ASA can authenticate users with a particular AAA server, and for legacy VPN authorization, if you can authorize a user. This command lets you test the AAA server without having an actual user who attempts to authenticate or authorize. It also helps you isolate whether AAA failures are due to misconfiguration of AAA server parameters, a connection problem to the AAA server, or other configuration errors on the ASA.

Examples

The following example configures a RADIUS AAA server named srvgrp1 on host 192.168.3.4, sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures authentication port 1650. The test aaa-server command following the setup of the AAA server parameters indicates that the authentication test failed to reach the server.

hostname(config)# aaa-server svrgrp1 protocol radius

hostname(config-aaa-server-group)# aaa-server svrgrp1 host 192.168.3.4

hostname(config-aaa-server-host)# timeout 9

hostname(config-aaa-server-host)# retry-interval 7

hostname(config-aaa-server-host)# authentication-port 1650

hostname(config-aaa-server-host)# exit

hostname(config)# test aaa-server authentication svrgrp1

Server IP Address or name: 192.168.3.4

Username: bogus

Password: mypassword

INFO: Attempting Authentication test to IP address <192.168.3.4> (timeout: 10 seconds)

ERROR: Authentication Rejected: Unspecified

The following is sample output from the test aaa-server command with a successful outcome:

hostname# test aaa-server authentication svrgrp1 host 192.168.3.4 username bogus password 
mypassword

INFO: Attempting Authentication test to IP address <10.77.152.85> (timeout: 12 seconds)

INFO: Authentication Successful

Related Commands

Command	Description
aaa authentication console	Configures authentication for management traffic.
aaa authentication match	Configures authentication for through traffic.
aaa-server	Creates a AAA server group.
aaa-server host	Adds a AAA server to a server group.

test aaa-server ad-agent

To test the Active Directory Agent configuration after you configure, use the test aaa-server ad-agent command in AAA Server Group configuration mode.

test aaa-server ad-agent

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
AAA Server Group configuration mode	•	—	•	—	—

Command History

Release	Modification
8.4(2)	The command was introduced.

Usage Guidelines

To configure the Active Directory Agent for the Identity Firewall, you must enter the ad-agent-mode command, which is a submode of the aaa-server command. Entering the ad-agent-mode command enters the AAA Server Group configuration mode.

After configuring the Active Directory Agent, enter the test aaa-server ad-agent command to verify that the ASA has a functional connection to the Active Directory Agent.

Periodically or on-demand, the AD Agent monitors the Active Directory server security event log file via WMI for user login and logoff events. The AD Agent maintains a cache of user ID and IP address mappings. and notifies the ASA of changes.

Configure the primary and secondary AD Agents for the AD Agent Server Group. When the ASA detects that the primary AD Agent is not responding and a secondary agent is specified, the ASA switches to secondary AD Agent. The Active Directory server for the AD agent uses RADIUS as the communication protocol; therefore, you should specify a key attribute for the shared secret between ASA and AD Agent.

Examples

The following example shows how to enable ad-agent-mode while configuring the Active Directory Agent for the Identity Firewall and then test the connection:

hostname(config)# aaa-server adagent protocol radius

hostname(config)# ad-agent-mode

hostname(config-aaa-server-group)# aaa-server adagent (inside) host 192.168.1.101

hostname(config-aaa-server-host)# key mysecret

hostname(config-aaa-server-hostkey)# user-identity ad-agent aaa-server adagent

hostname(config-aaa-server-host)# test aaa-server ad-agent

Related Commands

Command	Description
aaa-server	Create a AAA server group and configures AAA server parameters that are group-specific and common to all group hosts.
clear configure user-identity	Clears the configuration for the Identity Firewall feature.

test dynamic-access-policy attributes

To enter the dap attributes mode, from Privileged EXEC mode, enter the test dynamic-access-policy attributes command. Doing so lets you specify user and endpoint attribute value pairs.

dynamic-access-policy attributes

Defaults

No default value or behaviors.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	—	—

Command History

Release	Modification
8.0(2)	This command was introduced.

Usage Guidelines

Normally the ASA retrieves user authorization attributes from the AAA server and retrieves endpoint attributes from Cisco Secure Desktop, Host Scan, CNA or NAC. For the test command, you specify the user authorization and endpoint attributes in this attributes mode. The ASA writes them to an attribute database that the DAP subsystem references when evaluating the AAA selection attributes and endpoint select attributes for a DAP record.

This feature lets you experiment with creating a DAP record.

Examples

The following example shows how to use the attributes command.

hostname # test dynamic-access-policy attributes

hostname(config-dap-test-attr)# 

Related Commands

Command	Description
dynamic-access-policy-record	Creates a DAP record.
attributes	Enters attributes mode, in which you can specify user attribute value pairs.
display	Displays current attribute list.

test dynamic-access-policy execute

To test already configured DAP records, use the test dynamic-access-policy execute command in privileged EXEC mode:

test dynamic-access-policy execute

Syntax Description

Syntax DescriptionSyntax Description

AAA attribute value	The DAP subsystem on the device references these values when evaluating the AAA and endpoint selection attributes for each record. –AAA Attribute—Identifies the AAA attribute. –Operation Value—Identifies the attribute as =/!= to the given value.
endpoint attribute value	Identifies the endpoint attribute. –Endpoint ID—Provides the endpoint attribute ID. –Name/Operation/Value—

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	—	—

Command History

Release	Modification
8.4(4)	This command was introduced.

Usage Guidelines

This command lets you test the retrieval of the set of DAP records configured on the device by specifying authorization attribute value pairs.

test regex

To test a regular expression, use the test regex command in privileged EXEC mode.

test regex input_text regular_expression

Syntax Description

input_text	Specifies the text that you want to match with the regular expression.
regular_expression	Specifies the regular expression up to 100 characters in length. See the regex command for a list of metacharacters you can use in the regular expression.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

The test regex command tests a regular expression to make sure it matches what you think it will match.

If the regular expression matches the input text, you see the following message:

INFO: Regular expression match succeeded.

If the regular expression does not match the input text, you see the following message:

INFO: Regular expression match failed.

Examples

The following example tests input text against a regular expression:

hostname# test regex farscape scape

INFO: Regular expression match succeeded.

hostname# test regex farscape scaper

INFO: Regular expression match failed.

Related Commands

Command	Description
class-map type inspect	Creates an inspection class map to match traffic specific to an application.
policy-map	Creates a policy map by associating the traffic class with one or more actions.
policy-map type inspect	Defines special actions for application inspection.
class-map type regex	Creates a regular expression class map.
regex	Creates a regular expression.

test sso-server

To test an SSO server with a trial authentication request, use the test sso-server command in privileged EXEC mode.

test sso-server server-name username user-name

Syntax Description

Syntax DescriptionSyntax Description

server-name	Specifies the name of the SSO server being tested.
user-name	Specifies the name of a user on the SSO server being tested.

Defaults

No default values or behavior.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Config-webvpn	•	—	•	—	—
Config-webvpn-sso-saml	•	—	•	—	—
Config-webvpn-sso-siteminder	•	—	•	—	—
Global configuration mode	•	—	•	—	—
Privileged EXEC	•	—	•	—	—

Command History

Release	Modification
7.1(1)	This command was introduced.

Usage Guidelines

Single sign-on support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. The test sso-server command tests whether an SSO server is recognized and responding to authentication requests.

If the SSO server specified by the server-name argument is not found, the following error appears:

192.168.2.0 255.255.255.0 inside server-name does not exist

If the SSO server is found but the user specified by the user-name argument is not found, the authentication is rejected.

In the authentication, the ASA acts as a proxy for the WebVPN user to the SSO server. The ASA currently supports the SiteMinder SSO server (formerly Netegrity SiteMinder) and the SAML POST-type SSO server. This command applies to both types of SSO Servers.

Examples

The following example, entered in privileged EXEC mode, successfully tests an SSO server named my-sso-server using a username of Anyuser:

hostname# test sso-server my-sso-server username Anyuser

INFO: Attempting authentication request to sso-server my-sso-server for user Anyuser

INFO: STATUS: Success

hostname#

The following example shows a test of the same server, but the user, Anotheruser, is not recognized and the authentication fails:

hostname# test sso-server my-sso-server username Anotheruser

INFO: Attempting authentication request to sso-server my-sso-server for user Anotheruser

INFO: STATUS: Failed

hostname#

Related Commands

Command	Description
max-retry-attempts	Configures the number of times the ASA retries a failed SSO authentication attempt.
policy-server-secret	Creates a secret key used to encrypt authentication requests to a SiteMinder SSO server.
request-timeout	Specifies the number of seconds before a failed SSO authentication attempt times out.
show webvpn sso-server	Displays the operating statistics for all SSO servers configured on the security device.
sso-server	Creates a single sign-on server.
web-agent-url	Specifies the SSO server URL to which the ASA makes SiteMinder SSO authentication requests.

text-color

To set a color for text in the WebVPN title bar on the login, home page, and file access page, use the text-color command in webvpn mode. To remove a text color from the configuration and reset the default, use the no form of this command.

text-color [black | white | auto]

no text-color

Syntax Description

auto	Chooses black or white based on the settings for the secondary-color command. That is, if the secondary color is black, this value is white.
black	The default text color for title bars is white.
white	You can change the color to black.

Defaults

The default text color for the title bars is white.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
config-webvpn	•	—	•	—	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Examples

The following example shows how to set the text color for title bars to black:

hostname(config)# webvpn

hostname(config-webvpn)# text-color black

Related Commands

Command	Description
secondary-text-color	Sets the secondary text color for the WebVPN login, home page, and file access page.

tftp-server

To specify the default TFTP server and path and filename for use with configure net or write net commands, use the tftp-server command in global configuration mode. To remove the server configuration, use the no form of this command. This command supports IPv4 and IPv6 addresses.

tftp-server interface_name server filename

no tftp-server [interface_name server filename]

Syntax Description

filename	Specifies the path and filename.
interface_name	Specifies the gateway interface name. If you specify an interface other than the highest security interface, a warning message informs you that the interface is unsecure.
server	Sets the TFTP server IP address or name. You can enter an IPv4 or IPv6 address.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	•

Command History

Release	Modification
7.0(1)	The gateway interface is now required.

Usage Guidelines

The tftp-server command simplifies entering the configure net and write net commands. When you enter the configure net or write net commands, you can either inherit the TFTP server specified by the tftp-server command, or provide your own value. You can also inherit the path in the tftp-server command as-is, add a path and filename to the end of the tftp-server command value, or override the tftp-server command value.

The ASA supports only one tftp-server command.

Examples

The following example shows how to specify a TFTP server and then read the configuration from the /temp/config/test_config directory:

hostname(config)# tftp-server inside 10.1.1.42 /temp/config/test_config

hostname(config)# configure net

Related Commands

Command	Description
configure net	Loads the configuration from the TFTP server and path that you specify.
show running-config tftp-server	Displays the default TFTP server address and the directory of the configuration file.

tftp-server address

To specify the TFTP servers in the cluster, use the tftp-server address command in phone-proxy configuration mode. To remove the TFTP server from the Phone Proxy configuration, use the no form of this command.

tftp-server address ip_address [port] interface interface

no tftp-server address ip_address [port] interface interface

Syntax Description 

ip_address	Specifies the address of the TFTP server.
interface interface	Specifies the interface on which the TFTP server resides. This must be the real address of the TFTP server.
port	(Optional) This is the port the TFTP server is listening in on for the TFTP requests. This should be configured if it is not the default TFTP port 69.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Phone-proxy configuration	•	—	•	—	—

Command History 

Release	Modification
8.0(4)	The command was introduced.

Usage Guidelines

The Phone Proxy must have at least one CUCM TFTP server configured. Up to five TFTP servers can be configured for the Phone Proxy.

The TFTP server is assumed to be behind the firewall on the trusted network; therefore, the Phone Proxy intercepts the requests between the IP phones and TFTP server. The TFTP server must reside on the same interface as the CUCM.

Create the TFTP server using the internal IP address and specify the interface on which the TFTP server resides.

On the IP phones, the IP address of the TFTP server must be configured as follows:

•If NAT is configured for the TFTP server, use the TFTP server's global IP address.

•If NAT is not configured for the TFTP server, use the TFTP server's internal IP address.

If the service-policy is applied globally, a classification rule will be created to direct any TFTP traffic reaching the TFTP server on all ingress interfaces, except for the interface on which the TFTP server resides. When the service-policy is applied on a specific interface, a classification rule will be created to direct any TFTP traffic reaching the TFTP server on that specified interface to the phone-proxy module.

If a NAT rule is configured for the TFTP server, it must be configured prior to applying the service-policy so that the global address of the TFTP server is used when installing the classification rule.

Examples

The following example shows the use of the tftp-server address command to configure two TFTP servers for the Phone Proxy:

hostname(config)# phone-proxy asa_phone_proxy

hostname(config-phone-proxy)# tftp-server address 192.168.1.2 in interface outside

hostname(config-phone-proxy)# tftp-server address 192.168.1.3 in interface outside

hostname(config-phone-proxy)# media-termination address 192.168.1.4 interface inside

hostname(config-phone-proxy)# media-termination address 192.168.1.25 interface outside

hostname(config-phone-proxy)# tls-proxy asa_tlsp

hostname(config-phone-proxy)# ctl-file asactl

hostname(config-phone-proxy)# cluster-mode nonsecure

Related Commands 

Command	Description
phone-proxy	Configures the Phone Proxy instance.

threat-detection basic-threat

To enable basic threat detection, use the threat-detection basic-threat command in global configuration mode. To disable basic threat detection, use the no form of this command.

threat-detection basic-threat

no threat-detection basic-threat

Syntax Description

This command has no arguments or keywords.

Defaults

Basic threat detection is enabled by default. The following default rate limits are used:

Table 64-1 Basic Threat Detection Default Settings 

Packet Drop Reason	Trigger Settings
	Average Rate	Burst Rate
•DoS attack detected •Bad packet format •Connection limits exceeded •Suspicious ICMP packets detected	100 drops/sec over the last 600 seconds.	400 drops/sec over the last 20 second period.
	80 drops/sec over the last 3600 seconds.	320 drops/sec over the last 120 second period.
Scanning attack detected	5 drops/sec over the last 600 seconds.	10 drops/sec over the last 20 second period.
	4 drops/sec over the last 3600 seconds.	8 drops/sec over the last 120 second period.
Incomplete session detected such as TCP SYN attack detected or no data UDP session attack detected (combined)	100 drops/sec over the last 600 seconds.	200 drops/sec over the last 20 second period.
	80 drops/sec over the last 3600 seconds.	160 drops/sec over the last 120 second period.
Denial by access lists	400 drops/sec over the last 600 seconds.	800 drops/sec over the last 20 second period.
	320 drops/sec over the last 3600 seconds.	640 drops/sec over the last 120 second period.
•Basic firewall checks failed •Packets failed application inspection	400 drops/sec over the last 600 seconds.	1600 drops/sec over the last 20 second period.
	320 drops/sec over the last 3600 seconds.	1280 drops/sec over the last 120 second period.
Interface overload	2000 drops/sec over the last 600 seconds.	8000 drops/sec over the last 20 second period.
	1600 drops/sec over the last 3600 seconds.	6400 drops/sec over the last 120 second period.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	—	—

Command History

Release	Modification
8.0(2)	This command was introduced.
8.2(1)	The burst rate interval changed from 1/60th to 1/30th of the average rate.

Usage Guidelines

When you enable basic threat detection, the ASA monitors the rate of dropped packets and security events due to the following reasons:

•Denial by access lists

•Bad packet format (such as invalid-ip-header or invalid-tcp-hdr-length)

•Connection limits exceeded (both system-wide resource limits, and limits set in the configuration)

•DoS attack detected (such as an invalid SPI, Stateful Firewall check failure)

•Basic firewall checks failed (This option is a combined rate that includes all firewall-related packet drops in this bulleted list. It does not include non-firewall-related drops such as interface overload, packets failed at application inspection, and scanning attack detected.)

•Suspicious ICMP packets detected

•Packets failed application inspection

•Interface overload

•Scanning attack detected (This option monitors scanning attacks; for example, the first TCP packet is not a SYN packet, or the TCP connection failed the 3-way handshake. Full scanning threat detection (see the threat-detection scanning-threat command) takes this scanning attack rate information and acts on it by classifying hosts as attackers and automatically shunning them, for example.)

•Incomplete session detection such as TCP SYN attack detected or no data UDP session attack detected

When the ASA detects a threat, it immediately sends a system log message (733100) and alerts ASDM.

Basic threat detection affects performance only when there are drops or potential threats; even in this scenario, the performance impact is insignificant.

Table 64-1 in the "Defaults" section lists the default settings. You can view all these default settings using the show running-config all threat-detection command. You can override the default settings for each type of event by using the threat-detection rate command.

If an event rate is exceeded, then the ASA sends a system message. The ASA tracks two types of rates: the average event rate over an interval, and the burst event rate over a shorter burst interval. The burst event rate is 1/30th of the average rate interval or 10 seconds, whichever is higher. For each event received, the ASA checks the average and burst rate limits; if both rates are exceeded, then the ASA sends two separate system messages, with a maximum of one message for each rate type per burst period.

Examples

The following example enables basic threat detection, and changes the triggers for DoS attacks:

hostname(config)# threat-detection basic-threat

hostname(config)# threat-detection rate dos-drop rate-interval 600 average-rate 60 
burst-rate 100

Related Commands

Command	Description
clear threat-detection rate	Clears basic threat detection statistics.
show running-config all threat-detection	Shows the threat detection configuration, including the default rate settings if you did not configure them individually.
show threat-detection rate	Shows basic threat detection statistics.
threat-detection rate	Sets the threat detection rate limits per event type.
threat-detection scanning-threat	Enables scanning threat detection.

threat-detection rate

When you enable basic threat detection using the threat-detection basic-threat command, you can change the default rate limits for each event type using the threat-detection rate command in global configuration mode. If you enable scanning threat detection using the threat-detection scanning-threat command, then this command with the scanning-threat keyword also sets the when a host is considered to be an attacker or a target; otherwise the default scanning-threat value is used for both basic and scanning threat detection. To return to the default setting, use the no form of this command.

threat-detection rate {acl-drop | bad-packet-drop | conn-limit-drop | dos-drop | fw-drop | icmp-drop | inspect-drop | interface-drop | scanning-threat | syn-attack} rate-interval rate_interval average-rate av_rate burst-rate burst_rate

no threat-detection rate {acl-drop | bad-packet-drop | conn-limit-drop | dos-drop | fw-drop | icmp-drop | inspect-drop | interface-drop | scanning-threat | syn-attack} rate-interval rate_interval average-rate av_rate burst-rate burst_rate

Syntax Description

acl-drop	Sets the rate limit for dropped packets caused by denial by access lists.
average-rate av_rate	Sets the average rate limit between 0 and 2147483647 in drops/sec.
bad-packet-drop	Sets the rate limit for dropped packets caused by denial by a bad packet format (such as invalid-ip-header or invalid-tcp-hdr-length).
burst-rate burst_rate	Sets the burst rate limit between 0 and 2147483647 in drops/sec. The burst rate is calculated as the average rate every N seconds, where N is the burst rate interval. The burst rate interval is 1/30th of the rate-interval rate_interval value or 10 seconds, whichever is larger.
conn-limit-drop	Sets the rate limit for dropped packets caused by the connection limits being exceeded (both system-wide resource limits, and limits set in the configuration).
dos-drop	Sets the rate limit for dropped packets caused by a detected DoS attack (such as an invalid SPI, Stateful Firewall check failure).
fw-drop	Sets the rate limit for dropped packets caused by basic firewall check failure. This option is a combined rate that includes all firewall-related packet drops in this command. It does not include non-firewall-related drops such as interface-drop, inspect-drop, and scanning-threat.
icmp-drop	Sets the rate limit for dropped packets caused by denial by suspicious ICMP packets detected.
inspect-drop	Sets the rate limit for dropped packets caused by packets failing application inspection.
interface-drop	Sets the rate limit for dropped packets caused by an interface overload.
rate-interval rate_interval	Sets the average rate interval between 600 seconds and 2592000 seconds (30 days). The rate interval is used to determine the length of time over which to average the drops. It also determines the burst threshold rate interval.
scanning-threat	Sets the rate limit for dropped packets caused by a scanning attack detected. This option monitors scanning attacks; for example, the first TCP packet is not a SYN packet, or the TCP connection failed the 3-way handshake. Full scanning threat detection (see the threat-detection scanning-threat command) takes this scanning attack rate information and acts on it by classifying hosts as attackers and automatically shunning them, for example.
syn-attack	Sets the rate limit for dropped packets caused by an incomplete session, such as TCP SYN attack or no data UDP session attack.

Defaults

When you enable basic threat detection using the threat-detection basic-threat command, the following default rate limits are used:

Table 64-2 Basic Threat Detection Default Settings 

Packet Drop Reason	Trigger Settings
	Average Rate	Burst Rate
•dos-drop •bad-packet-drop •conn-limit-drop •icmp-drop	100 drops/sec over the last 600 seconds.	400 drops/sec over the last 20 second period.
	100 drops/sec over the last 3600 seconds.	400 drops/sec over the last 120 second period.
scanning-threat	5 drops/sec over the last 600 seconds.	10 drops/sec over the last 20 second period.
	5 drops/sec over the last 3600 seconds.	10 drops/sec over the last 120 second period.
syn-attack	100 drops/sec over the last 600 seconds.	200 drops/sec over the last 20 second period.
	100 drops/sec over the last 3600 seconds.	200 drops/sec over the last 120 second period.
acl-drop	400 drops/sec over the last 600 seconds.	800 drops/sec over the last 20 second period.
	400 drops/sec over the last 3600 seconds.	800 drops/sec over the last 120 second period.
•fw-drop •inspect-drop	400 drops/sec over the last 600 seconds.	1600 drops/sec over the last 20 second period.
	400 drops/sec over the last 3600 seconds.	1600 drops/sec over the last 120 second period.
interface-drop	2000 drops/sec over the last 600 seconds.	8000 drops/sec over the last 20 second period.
	2000 drops/sec over the last 3600 seconds.	8000 drops/sec over the last 120 second period.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	—	—

Command History

Release	Modification
8.0(2)	This command was introduced.
8.2(1)	The burst rate interval changed from 1/60th to 1/30th of the average rate.

Usage Guidelines

You can configure up to three different rate intervals for each event type.

When you enable basic threat detection, the ASA monitors the rate of dropped packets and security events due to the event types described in the "Syntax Description" table.

When the ASA detects a threat, it immediately sends a system log message (733100) and alerts ASDM.

Basic threat detection affects performance only when there are drops or potential threats; even in this scenario, the performance impact is insignificant.

Table 64-1 in the "Defaults" section lists the default settings. You can view all these default settings using the show running-config all threat-detection command.

If an event rate is exceeded, then the ASA sends a system message. The ASA tracks two types of rates: the average event rate over an interval, and the burst event rate over a shorter burst interval. For each event received, the ASA checks the average and burst rate limits; if both rates are exceeded, then the ASA sends two separate system messages, with a maximum of one message for each rate type per burst period.

Examples

The following example enables basic threat detection, and changes the triggers for DoS attacks:

hostname(config)# threat-detection basic-threat

hostname(config)# threat-detection rate dos-drop rate-interval 600 average-rate 60 
burst-rate 100

Related Commands

Command	Description
clear threat-detection rate	Clears basic threat detection statistics.
show running-config all threat-detection	Shows the threat detection configuration, including the default rate settings if you did not configure them individually.
show threat-detection rate	Shows basic threat detection statistics.
threat-detection basic-threat	Enables basic threat detection.
threat-detection scanning-threat	Enables scanning threat detection.

threat-detection scanning-threat

To enable scanning threat detection, use the threat-detection scanning-threat command in global configuration mode. To disable scanning threat detection, use the no form of this command.

threat-detection scanning-threat [shun
[except {ip-address ip_address mask | object-group network_object_group_id} | duration seconds]]

no threat-detection scanning-threat [shun
[except {ip-address ip_address mask | object-group network_object_group_id} | duration seconds]]

Syntax Description

duration seconds	Sets the duration of a shun for an attacking host, between 10 and 2592000 seconds. The default length is 3600 seconds (1 hour).
except	Exempts IP addresses from being shunned. Enter this command multiple times to identify multiple IP addresses or network object groups to exempt from shunning.
ip-address ip_address mask	Specifies the IP address you want to exempt from shunning.
object-group network_object_group_id	Specifies the network object group that you want to exempt from shunning. See the object-group network command to create the object group.
shun	Automatically terminates a host connection when the ASA identifies the host as an attacker, in addition to sending syslog message 733101.

Defaults

The default shun duration is 3600 seconds (1 hour).

The following default rate limits are used for scanning attack events:

Table 64-3 Default Rate Limits for Scanning Threat Detection

Average Rate	Burst Rate
5 drops/sec over the last 600 seconds.	10 drops/sec over the last 20 second period.
5 drops/sec over the last 3600 seconds.	10 drops/sec over the last 120 second period.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	—	—

Command History

Release	Modification
8.0(2)	This command was introduced.
8.0(4)	The duration keyword was added.

Usage Guidelines

A typical scanning attack consists of a host that tests the accessibility of every IP address in a subnet (by scanning through many hosts in the subnet or sweeping through many ports in a host or subnet). The scanning threat detection feature determines when a host is performing a scan. Unlike IPS scan detection that is based on traffic signatures, the ASA scanning threat detection feature maintains an extensive database that contains host statistics that can be analyzed for scanning activity.

The host database tracks suspicious activity such as connections with no return activity, access of closed service ports, vulnerable TCP behaviors such as non-random IPID, and many more behaviors.

---

Caution The scanning threat detection feature can affect the ASA performance and memory significantly while it creates and gathers host- and subnet-based data structure and information.

---

You can configure the ASA to send system log messages about an attacker or you can automatically shun the host. By default, the system log message 730101 is generated when a host is identified as an attacker.

The ASA identifies attackers and targets when the scanning threat event rate is exceeded. The ASA tracks two types of rates: the average event rate over an interval, and the burst event rate over a shorter burst interval. For each event detected that is considered to be part of a scanning attack, the ASA checks the average and burst rate limits. If either rate is exceeded for traffic sent from a host, then that host is considered to be an attacker. If either rate is exceeded for traffic received by a host, then that host is considered to be a target. You can change the rate limits for scanning threat events using the threat-detection rate scanning-threat command.

To view hosts categorized as attackers or as targets, use the show threat-detection scanning-threat command.

To view shunned hosts, use the show threat-detection shun command. To release a host from being shunned, use the clear threat-detection shun command.

Examples

The following example enables scanning threat detection and automatically shuns hosts categorized as attackers, except for hosts on the 10.1.1.0 network. The default rate limits for scanning threat detection are also changed.

hostname(config)# threat-detection scanning-threat shun except ip-address 10.1.1.0 
255.255.255.0

hostname(config)# threat-detection rate scanning-threat rate-interval 1200 average-rate 10 
burst-rate 20

hostname(config)# threat-detection rate scanning-threat rate-interval 2400 average-rate 10 
burst-rate 20

Related Commands

Command	Description
clear threat-detection shun	Releases a host from being shunned.
show threat-detection scanning-threat	Shows the hosts that are categorized as attackers and targets.
show threat-detection shun	Shows hosts that are currently shunned.
threat-detection basic-threat	Enables basic threat detection.
threat-detection rate	Sets the threat detection rate limits per event type.

threat-detection statistics

To enable advanced threat detection statistics, use the threat-detection statistics command in global configuration mode. To disable advanced threat detection statistics, use the no form of this command.

---

Caution Enabling statistics can affect the ASA performance, depending on the type of statistics enabled. The threat-detection statistics host command affects performance in a significant way; if you have a high traffic load, you might consider enabling this type of statistics temporarily. The threat-detection statistics port command, however, has modest impact.

---

threat-detection statistics [access-list | [host | port | protocol [number-of-rate {1 | 2 | 3}] | tcp-intercept [rate-interval minutes] [burst-rate attacks_per_sec] [average-rate attacks_per_sec]]

no threat-detection statistics [access-list | host | port | protocol | tcp-intercept [rate-interval minutes] [burst-rate attacks_per_sec] [average-rate attacks_per_sec]]

Syntax Description

access-list	(Optional) Enables statistics for access list denies. Access list statistics are only displayed using the show threat-detection top access-list command.
average-rate attacks_per_sec	(Optional) For TCP Intercept, sets the average rate threshold for syslog message generation, between 25 and 2147483647. The default is 200 per second. When the average rate is exceeded, syslog message 733105 is generated.
burst-rate attacks_per_sec	(Optional) For TCP Intercept, sets the threshold for syslog message generation, between 25 and 2147483647. The default is 400 per second. When the burst rate is exceeded, syslog message 733104 is generated.
host	(Optional) Enables host statistics. The host statistsics accumulate for as long as the host is active and in the scanning threat host database. The host is deleted from the database (and the statistics cleared) after 10 minutes of inactivity.
number-of-rate {1 | 2 | 3}	(Optional) Sets the number of rate intervals maintained for host, port, or protocol statistics. The default number of rate intervals is 1, which keeps the memory usage low. To view more rate intervals, set the value to 2 or 3. For example, if you set the value to 3, then you view data for the last 1 hour, 8 hours, and 24 hours. If you set this keyword to 1 (the default), then only the shortest rate interval statistics are maintained. If you set the value to 2, then the two shortest intervals are maintained.
port	(Optional) Enables port statistics.
protocol	(Optional) Enables protocol statistics.
rate-interval minutes	(Optional) For TCP Intercept, sets the size of the history monitoring window, between 1 and 1440 minutes. The default is 30 minutes. During this interval, the ASA samples the number of attacks 30 times.
tcp-intercept	(Optional) Enables statistics for attacks intercepted by TCP Intercept. See the set connection embryonic-conn-max command, or the nat or static commands to enable TCP Intercept.

Defaults

Access list statistics are enabled by default. If you do not specify any options in this command, then you enable all options.

The default tcp-intercept rate-interval is 30 minutes. The default burst-rate is 400 per second. The default average-rate is 200 per second.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•1	—

1 Only TCP Intercept statistics are supported in multiple context mode.

Command History

Release	Modification
8.0(2)	This command was introduced.
8.0(4)/8.1(2)	The tcp-intercept keyword was added.
8.1(2)	The number-of-rates keyword was added for host statistics, and the default number of rates was changed from 3 to 1.
8.2(1)	The burst rate interval changed from 1/60th to 1/30th of the average rate.
8.3(1)	The number-of-rates keyword was added for port and protocol statistics, and the default number of rates was changed from 3 to 1.

Usage Guidelines

If you do not specify any options in this command, then you enable all statistics. To enable only certain statistics, enter this command for each statistic type, and do not also enter the command without any options. You can enter threat-detection statistics (without any options) and then customize certain statistics by entering the command with statistics-specific options (for example, threat-detection statistics host number-of-rate 2). If you enter threat-detection statistics (without any options) and then enter a command for specific statistics, but without any statistic-specific options, then that command has no effect because it is already enabled.

If you enter the no form of this command, it removes all threat-detection statistics commands, including the threat-detection statistics access-list command, which is enabled by default.

View statistics using the show threat-detection statistics commands.

You do not need to enable scanning threat detection using the threat-detection scanning-threat command; you can configure detection and statistics separately.

Examples

The following example enables scanning threat detection and scanning threat statistics for all types except host:

hostname(config)# threat-detection scanning-threat shun except ip-address 10.1.1.0 
255.255.255.0

hostname(config)# threat-detection statistics access-list

hostname(config)# threat-detection statistics port

hostname(config)# threat-detection statistics protocol

hostname(config)# threat-detection statistics tcp-intercept

Related Commands

Command	Description
threat-detection scanning-threat	Enables scanning threat detection.
show threat-detection statistics host	Shows the host statistics.
show threat-detection memory	Shows the memory use for advanced threat detection statistics.
show threat-detection statistics port	Shows the port statistics.
show threat-detection statistics protocol	Shows the protocol statistics.
show threat-detection statistics top	Shows the top 10 statistics.

threshold

To set the threshold value for over threshold events in SLA monitoring operations, use the threshold command in SLA monitor configuration mode. To restore the default value, use the no form of this command.

threshold milliseconds

no threshold

Syntax Description

milliseconds

Specifies the number of milliseconds for a rising threshold to be declared. Valid values are from 0 to 2147483647. This value should not be larger than the value set for the timeout.

Defaults

The default threshold is 5000 milliseconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
SLA monitor configuration	•	—	•	—	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

The threshold value is only used to indicate over threshold events, which do not affect reachability but may be used to evaluate the proper settings for the timeout command.

Examples

The following example configures an SLA operation with an ID of 123 and creates a tracking entry with the ID of 1 to track the reachability of the SLA. The frequency of the SLA operation is set to 10 seconds, the threshold to 2500 milliseconds, and the timeout value us set to 4000 milliseconds.

hostname(config)# sla monitor 123

hostname(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outside 

hostname(config-sla-monitor-echo)# threshold 2500

hostname(config-sla-monitor-echo)# timeout 4000

hostname(config-sla-monitor-echo)# frequency 10

hostname(config)# sla monitor schedule 123 life forever start-time now

hostname(config)# track 1 rtr 123 reachability

Related Commands

Command	Description
sla monitor	Defines an SLA monitoring operation.
timeout	Defines the amount of time the SLA operation waits for a response.

ticket

To configure the ticket epoch and password for the Cisco Intercompany Media Engine proxy, use the ticket command in UC-IME configuration mode. To remove the configuration from the proxy, use the no form of this command.

ticket epoch n password password

no ticket epoch n password password

Syntax Description

n	Specifies the length of time between password integrity checks. Enter an integer from 1-255.
password	Sets the password for the Cisco Intercompany Media Engine ticket. Enter a minimum of 10 and a maximum of 64 printable character from the US-ASCII character set. The allowed characters include 0x21 to 0x73 inclusive, and exclude the space character. Only one password can be configured at a time.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
UC-IME configuration	•	—	•	—	—

Command History

Release	Modification
8.3(1)	The command was introduced.

Usage Guidelines

Configures the ticket epoch and password for Cisco Intercompany Media Engine.

The epoch contains an integer that updates each time that the password is changed. When the proxy is configured the first time and a password entered for the first time, enter 1 for the epoch integer. Each time you change the password, increment the epoch to indicate the new password. You must increment the epoch value each time your change the password.

Typically, you increment the epoch sequentially; however, the ASA allows you to choose any value when you update the epoch.

If you change the epoch value, the current password is invalidated and you must enter a new password.

We recommend a password of at least 20 characters. Only one password can be configured at a time.

The ticket password is stored onto flash. The output of the show running-config uc-ime command displays ***** instead of the password string.

---

Note The epoch and password that you configure on the ASA must match the epoch and password configured on the Cisco Intercompany Media Engine server. See the Cisco Intercompany Media Engine server documentation for information.

---

Examples

The following example shows specify the ticket and epoch in the Cisco Intercompany Media Engine Proxy:

hostname(config)# uc-ime local_uc-ime_proxy

hostname(config-uc-ime)# media-termination ime-media-term

hostname(config-uc-ime)# ucm address 192.168.10.30 trunk-security-mode non-secure

hostname(config-uc-ime)# ticket epoch 1 password password1234

hostname(config-uc-ime)# fallback monitoring timer 120

hostname(config-uc-ime)# fallback hold-down timer 30

Related Commands

Command	Description
show running-config uc-ime	Shows the running configuration of the Cisco Intercompany Media Engine proxy.
uc-ime	Creates the Cisco Intercompany Media Engine proxy instance on the ASA.

timeout

To set the global maximum idle time duration for various features, use the timeout command in global configuration mode. To set all timeouts to the default, use the no form of this command. To reset a single feature to its default, reenter the timeout command with the default value.

timeout {conn | floating-conn | h225 | h323 | half-closed | icmp | mgcp | mgcp-pat | pat-xlate | sip | sip-disconnect | sip-invite | sip_media | sip-provisional-media | sunrpc | tcp-proxy-reassembly | udp | xlate} hh:mm:ss

timeout uauth hh:mm:ss [absolute | inactivity]

no timeout

Syntax Description

absolute	(Optional for uauth) Requires a reauthentication after the uauth timeout expires. The absolute keyword is enabled by default. To set the uauth timer to timeout after a period of inactivity, enter the inactivity keyword instead.
conn	Specifies the idle time after which a connection closes, between 0:5:0 and 1193:0:0. The default is 1 hour (1:0:0). Use 0 to never time out a connection.
floating-conn	When multiple static routes exist to a network with different metrics, the ASA uses the one with the best metric at the time of connection creation. If a better route becomes available, then this timeout lets connections be closed so a connection can be reestablished to use the better route. The default is 0 (the connection never times out). To take advantage of this feature, change the timeout to a new value.
hh:mm:ss	Specifies the timeout in hours, minutes, and seconds. Use 0 to never time out a connection, if available.
h225	Specifies the idle time after which an H.225 signaling connection closes, between 0:0:0 and 1193:0:0. The default is 1 hour (1:0:0). A timeout value of 0:0:1 disables the timer and closes the TCP connection immediately after all calls are cleared.
h323	Specifies the idle time after which H.245 (TCP) and H.323 (UDP) media connections close, between 0:0:0 and 1193:0:0. The default is 5 minutes (0:5:0). Because the same connection flag is set on both H.245 and H.323 media connections, the H.245 (TCP) connection shares the idle timeout with the H.323 (RTP and RTCP) media connection.
half-closed	Specifies the idle time after which a TCP half-closed connection will be freed, between 0:5:0 (for 9.1(1) and earlier) or 0:0:30 (for 9.1(2) and later) and 1193:0:0. The default is 10 minutes (0:10:0). Use 0 to never time out a connection.
icmp	Specifies the idle time for ICMP, between 0:0:2 and 1193:0:0 The default is 2 seconds (0:0:2).
inactivity	(Optional for uauth) Requires uauth reauthentication after the inactivity timeout expires.
mgcp	Sets the idle time after which an MGCP media connection is removed, between 0:0:0 and 1193:0:0. The default is 5 minutes (0:5:0)
mgcp-pat	Sets the absolute interval after which an MGCP PAT translation is removed, between 0:0:0 and 1193:0:0. The default is 5 minutes (0:5:0).
pat-xlate	Specifies the idle time until a PAT translation slot is freed, between 0:0:30 and 0:5:0. The default is 30 seconds. You may want to increase the timeout if upstream routers reject new connections using a freed PAT port because the previous connection might still be open on the upstream device.
sip	Specifies the idle time after which a SIP control connection will be closed, between 0:5:0 and 1193:0:0. The default is 30 minutes (0:30:0). Use 0 to never time out a connection.
sip-disconnect	Specifies the idle time after which a SIP session is deleted if the 200 OK is not received for a CANCEL or a BYE message, between 0:0:1 and 1193:0:0. The default is 2 minutes (0:2:0).
sip-invite	(Optional) Specifies the idle time after which pinholes for PROVISIONAL responses and media xlates will be closed, between 0:1:0 and 1193:0:0. The default is 3 minutes (0:3:0).
sip_media	Specifies the idle time after which a SIP media connection will be closed, between 0:1:0 and 1193:0:0. The default is 2 minutes (0:2:0). Use 0 to never time out a connection. The SIP media timer is used used for SIP RTP/RTCP with SIP UDP media packets, instead of the UDP inactivity timeout.
sip-provisional-media	Specifies timeout value for SIP provisional media connections, between 0:1:0 and 1193:0:0. The default is 2 minutes (0:2:0).
sunrpc	Specifies the idle time after which a SUNRPC slot will be closed, between 0:1:0 and 1193:0:0. The default is 10 minutes (0:10:0). Use 0 to never time out a connection.
tcp-proxy-reassembly	Configures the idle timeout after which buffered packets waiting for reassembly are dropped, between 0:0:10 and 1193:0:0. The default is 1 minute (0:1:0).
uauth	Specifies the duration before the authentication and authorization cache times out and the user has to reauthenticate the next connection, between 0:0:0 and 1193:0:0. The default is 5 minutes (0:5:0). The default timer is absolute; you can set the timeout to occur after a period of inactivity by entering the inactivity keyword. The uauth duration must be shorter than the xlate duration. Set to 0 to disable caching. Do not use 0 if passive FTP is used for the connection or if the virtual http command is used for web authentication.
udp	Specifies the idle time until a UDP slot is freed, between 0:1:0 and 1193:0:0. The default is 2 minutes (0:2:0). Use 0 to never time out a connection.
xlate	Specifies the idle time until a translation slot is freed, between 0:1:0 and 1193:0:0. The default is 3 hours (3:0:0).

Defaults

The defaults are as follows:

•conn hh:mm:ss is 1 hour (1:0:0).

•floating-conn hh:mm:ss never times out (0)

•h225 hh:mm:ss is 1 hour (1:0:0).

•h323 hh:mm:ss is 5 minutes (0:5:0).

•half-closed hh:mm:ss is 10 minutes (0:10:0).

•icmp hh:mm:ss is 2 seconds (0:0:2)

•mgcp hh:mm:ss is 5 minutes (0:5:0).

•mgcp-pat hh:mm:ss is 5 minutes (0:5:0).

•rpc hh:mm:ss is 5 minutes (0:5:0).

•sip hh:mm: is 30 minutes (0:30:0).

•sip-disconnect hh:mm:ss is 2 minutes (0:2:0).

•sip-invite hh:mm:ss is 3 minutes (0:3:0).

•sip_media hh:mm:ss is 2 minutes (0:2:0).

•sip-provisional-media hh:mm:ss is 2 minutes (0:2:0).

•sunrpc hh:mm:ss is 10 minutes (0:10:0)

•tcp-proxy-reassembly hh:mm:ss is 1 minute (0:1:0)

•uauth hh:mm:ss is 5 minutes (0:5:0) absolute.

•udp hh:mm:ss is 2 minutes (0:02:0).

•xlate hh:mm:ss is 3 hours (3:0:0).

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration mode	•	•	•	•	—

Command History

Release	Modification
7.2(1)	The mgcp-pat, sip-disconnect, and sip-invite keywords were added.
7.2(4)/8.0(4)	The sip-provisional-media keyword was added.
7.2(5)/8.0(5)/8.1(2)/8.2(1)	The tcp-proxy-reassembly keyword was added.
8.2(5)/8.4(2)	The floating-conn keyword was added.
8.4(3)	The pat-xlate keyword was added.
9.1(2)	The minimum half-closed value was lowered to 30 seconds (0:0:30).

Usage Guidelines

The timeout command lets you set global timeouts. For some features, the set connection timeout command takes precedence for traffic identified in the command.

You can enter multiple keywords and values after the timeout command.

The connection timer (conn) takes precedence over the translation timer (xlate); the translation timer works only after all connections have timed out.

Examples

The following example shows how to configure the maximum idle time durations:

hostname(config)# timeout uauth 0:5:0 absolute uauth 0:4:0 inactivity

hostname(config)# show running-config timeout

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00  
sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute uauth 0:04:00 inactivity

Related Commands

Command	Description
clear configure timeout	Clears the timeout configuration and resets it to the defaults.
set connection timeout	Sets connection timeouts using Modular Policy Framework.
show running-config timeout	Displays the timeout value of the designated protocol.

timeout (aaa-server host)

To configure the host-specific maximum response time, in seconds, allowed before giving up on establishing a connection with the AAA server, use the timeout command in aaa-server host mode. To remove the timeout value and reset the timeout to the default value of 10 seconds, use the no form of this command.

timeout seconds

no timeout

Syntax Description

seconds

Specifies the timeout interval (1-60 seconds) for the request. This is the time after which the ASA gives up on the request to the primary AAA server. If there is a standby AAA server, the ASA sends the request to the backup server.

Defaults

The default timeout value is 10 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
aaa-server host configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

This command is valid for all AAA server protocol types.

Use the timeout command to specify the length of time during which the ASA attempts to make a connection to a AAA server. Use the retry-interval command to specify the amount of time the ASA waits between connection attempts.

The timeout is the total amount of time that the ASA spends trying to complete a transaction with a server. The retry interval determines how often the communication is retried during the timeout period. Thus, if the retry interval is greater than or equal to the timeout value, you will see no retries. If you want to see retries, the retry interval musts be less than thte timeout value.

Examples

The following example configures a RADIUS AAA server named "svrgrp1" on host 1.2.3.4 to use a timeout value of 30 seconds, with a retry interval of 10 seconds. Thus, the ASA tries the communication attempt three times before giving up after 30 seconds.

hostname(config)# aaa-server svrgrp1 protocol radius

hostname(config-aaa-server-group)# aaa-server svrgrp1 host 1.2.3.4

hostname(config-aaa-server-host)# timeout 30

hostname(config-aaa-server-host)# retry-interval 10

hostname(config-aaa-server-host)# 

Related Commands

Command	Description
aaa-server host	Enters aaa server host configuration mode so you can configure AAA server parameters that are host specific.
clear configure aaa-server	Removes all AAA command statements from the configuration.
show running-config aaa	Displays the current AAA configuration values.

timeout (dns-server-group configuration mode)

To specify the amount of time to wait before trying the next DNS server, use the timeout command in dns-server-group configuration mode. To restore the default timeout, use the no form of this command.

timeout seconds

no timeout [seconds]

Syntax Description

seconds

Specifies the timeout in seconds between 1 and 30. The default is 2 seconds. Each time the ASA retries the list of servers, this timeout doubles. Use the retries command in dns-server-group configuration mode to configure the number of retries.

Defaults

The default timeout is 2 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
7.1(1)	This command was introduced.

Examples

The following example sets the timeout to 1 second for the DNS server group "dnsgroup1":

hostname(config)# dns server-group dnsgroup1

hostname(config-dns-server-group)# dns timeout 1

Related Commands

Command	Description
clear configure dns	Removes all user-created DNS server-groups and resets the default server group's attributes to the default values.
domain-name	Sets the default domain name.
retries	Specifies the number of times to retry the list of DNS servers when the ASA does not receive a response.
show running-config dns server-group	Shows the current running DNS server-group configuration.

timeout (gtp-map)

To change the inactivity timers for a GTP session, use the timeout command in GTP map configuration mode, which is accessed by using the gtp-map command. Use the no form of this command to set these intervals to their default values.

timeout {gsn | pdp-context | request | signaling | t3-response | tunnel } hh:mm:ss

no timeout {gsn | pdp-context | request | signaling | t3-response | tunnel } hh:mm:ss

Syntax Description

hh:mm:ss	This is the timeout where hh specifies the hour, mm specifies the minutes, ss specifies the seconds, and a colon ( : ) separates these three components. The value 0 means never tear down immediately.
gsn	Specifies the period of inactivity after which a GSN will be removed.
pdp-context	Specifies the maximum period of time allowed before beginning to receive the PDP context.
request	Specifies the the maximum period of time allowed before beginning to receive the GTP message.
signaling	Specifies the period of inactivity after which the GTP signaling will be removed.
t3-response	Specifies the maximum wait time for a response before a GTP connection is removed.
tunnel	Specifies the period of inactivity after which the GTP tunnel will be torn down.

Defaults

The default is 30 minutes for gsn, pdp-context, and signaling.

The default for request is 1 minute.

The default for tunnel is 1 hour (in the case where a Delete PDP Context Request is not received).

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
GTP map configuration	·	·	·	·	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

The Packet Data Protocol (PDP) context is identified by the Tunnel Identifier (TID), which is a combination of IMSI and NSAPI. Each MS can have up to 15 NSAPIs, allowing it to create multiple PDP contexts each with a different NSAPI, based on application requirements for varied QoS levels.

A GTP tunnel is defined by two associated PDP Contexts in different GSN nodes and is identified with a Tunnel ID. A GTP tunnel is necessary to forward packets between an external packet data network and a mobile station user.

Examples

The following example sets a timeout value for the request queue of 2 minutes:

hostname(config)# gtp-map gtp-policy

hostname(config-gtpmap)# timeout request 00:02:00

Related Commands

Commands	Description
clear service-policy inspect gtp	Clears global GTP statistics.
debug gtp	Displays detailed information about GTP inspection.
gtp-map	Defines a GTP map and enables GTP map configuration mode.
inspect gtp	Applies a specific GTP map to use for application inspection.
show service-policy inspect gtp	Displays the GTP configuration.

timeout (radius-accounting)

To change the inactivity timers for RADIUS accounting users, use the timeout command in radius-accounting parameter configuration mode, which is accessed by using the inspect radius-accounting command. Use the no form of this command to set these intervals to their default values.

timeout users hh:mm:ss

no timeout users hh:mm:ss

Syntax Description

hh:mm:ss	This is the timeout where hh specifies the hour, mm specifies the minutes, ss specifies the seconds, and a colon ( : ) separates these three components. The value 0 means never tear down immediately. The default is one hour.
users	Specifies the timeout for users.

Defaults

The default timeout for users is one hour.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
radius-accounting parameter configuration	·	·	·	·	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Examples

The following example sets a timeout value for the user of ten minutes:

hostname(config)# policy-map type inspect radius-accounting ra

hostname(config-pmap)# parameters

hostname(config-pmap-p)# timeout user 00:10:00

Related Commands

Commands	Description
inspect radius-accounting	Sets inspection for RADIUS accounting.
parameters	Sets parameters for an inspection policy map.

timeout (sla monitor)

To set the amount of time the SLA operation waits for a response to the request packets, use the timeout command in SLA monitor protocol configuration mode. To restore the default value, use the no form of this command.

timeout milliseconds

no timeout

Syntax Description

milliseconds

0 to 604800000.

Defaults

The default timeout value is 5000 milliseconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
SLA monitor protocol configuration	•	—	•	—	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

Use the frequency command to set how often the SLA operation sends out the request packets and the timeout command to set how long the SLA operation waits to receive a response to those requests. The values specified for the timeout command cannot be greater than the value specified for the frequency command.

Examples

The following example configures an SLA operation with an ID of 123 and creates a tracking entry with the ID of 1 to track the reachability of the SLA. The frequency of the SLA operation is set to 10 seconds, the threshold to 2500 milliseconds, and the timeout value us set to 4000 milliseconds.

hostname(config)# sla monitor 123

hostname(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outside 

hostname(config-sla-monitor-echo)# threshold 2500

hostname(config-sla-monitor-echo)# timeout 4000

hostname(config-sla-monitor-echo)# frequency 10

hostname(config)# sla monitor schedule 123 life forever start-time now

hostname(config)# track 1 rtr 123 reachability

Related Commands

Command	Description
frequency	Specifies the rate at which the SLA operation repeats.
sla monitor	Defines an SLA monitoring operation.

timeout pinhole

To configure the timeout for DCERPC pinholes and override the global system pinhole timeout of two minutes, use the timeout pinhole command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode. To disable this feature, use the no form of this command.

timeout pinhole hh:mm:ss

no timeout pinhole

Syntax Description

hh:mm:ss

The timeout for pinhole connections. Value is between 0:0:1 and 1193:0:0.

Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Parameters configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Examples

The following example shows how to configure the pinhole timeout for pin hole connections in a DCERPC inspection policy map:

hostname(config)# policy-map type inspect dcerpc dcerpc_map

hostname(config-pmap)# parameters

hostname(config-pmap-p)# timeout pinhole 0:10:00

Related Commands

Command	Description
class	Identifies a class map name in the policy map.
class-map type inspect	Creates an inspection class map to match traffic specific to an application.
policy-map	Creates a Layer 3/4 policy map.
show running-config policy-map	Display all current policy map configurations.

time-range

To enter time-range configuration mode and define a time range that you can attach to traffic rules, or an action, use the time-range command in global configuration mode. To disable, use the no form of this command.

time-range name

no time-range name

Syntax Description

name	Name of the time range. The name must be 64 characters or less.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Creating a time range does not restrict access to the device. The time-range command defines the time range only. After a time range is defined, you can attach it to traffic rules or an action.

To implement a time-based ACL, use the time-range command to define specific times of the day and week. Then use the with the access-list extended time-range command to bind the time range to an ACL.

The time range relies on the system clock of the ASA; however, the feature works best with NTP synchronization.

Examples

The following example creates a time range named "New_York_Minute" and enters time range configuration mode:

hostname(config)# time-range New_York_Minute

hostname(config-time-range)#

After you have created a time range and entered time-range configuration mode, you can define time range parameters with the absolute and periodic commands. To restore default settings for the time-range command absolute and periodic keywords, use the default command in time-range configuration mode.

To implement a time-based ACL, use the time-range command to define specific times of the day and week. Then use the with the access-list extended command to bind the time range to an ACL. The following example binds an ACL named "Sales" to a time range named "New_York_Minute":

hostname(config)# access-list Sales line 1 extended deny tcp host 209.165.200.225 host 
209.165.201.1 time-range New_York_Minute

hostname(config)# 

See the access-list extended command for more information about ACLs.

Related Commands

Command	Description
absolute	Defines an absolute time when a time range is in effect.
access-list extended	Configures a policy for permitting or denying IP traffic through the ASA.
default	Restores default settings for the time-range command absolute and periodic keywords.
periodic	Specifies a recurring (weekly) time range for functions that support the time-range feature.

timeout secure-phones

To configure the idle timeout after which the secure-phone entry is removed from the Phone Proxy database, use the timeout secure-phones command in phone-proxy configuration mode. To set the timeout value back to the default of 5 minutes, use the no form of this command.

timeout secure-phones hh:mm:ss

no timeout secure-phones hh:mm:ss

Syntax Description 

hh:mm:ss

Specifies the idle timeout after which the object is removed. The default is 5 minutes.

Defaults

The default value for secure phone timeout is 5 minutes.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	—	•	—	—

Command History 

Release	Modification
8.0(4)	The command was introduced.

Usage Guidelines

Since secure phones always request a CTL file upon bootup, the Phone Proxy creates a database that marks the phone as secure. The entries in the secure phone database are removed after a specified configured timeout (via the timeout secure-phones command). The entry's timestamp is updated for each registration refresh the Phone Proxy receives for SIP phones and KeepAlives for SCCP phones.

The default value for the timeout secure-phones command is 5 minutes. Specify a value that is greater than the maximum timeout value for SCCP KeepAlives and SIP Register refresh. For example, if the SCCP Keepalives are configured for 1 minute intervals and the SIP Register Refresh is configured for 3 minutes, configure this timeout value greater than 3 minutes.

Examples

The following example shows the use of the timeout secure-phones command to configure the Phone Proxy to timeout entries in the secure phone database after 3 minutes:

hostname(config)# phone-proxy asa_phone_proxy

hostname(config-phone-proxy)# tftp-server address 192.168.1.2 in interface outside

hostname(config-phone-proxy)# tftp-server address 192.168.1.3 in interface outside

hostname(config-phone-proxy)# media-termination address 192.168.1.4

hostname(config-phone-proxy)# tls-proxy asa_tlsp

hostname(config-phone-proxy)# ctl-file asactl

hostname(config-phone-proxy)# timeout secure-phones 00:03:00

Related Commands 

Command	Description
phone-proxy	Configures the Phone Proxy instance.

timers lsa arrival

To set the minimum interval at which the ASA accepts the same LSA from OSPFv3 neighbors, use the timers lsa arrival command in IPv6 router configuration mode. To restore the default value, use the no form of this command.

timers lsa arrival milliseconds

no timers lsa arrival milliseconds

Syntax Description

milliseconds

Specifies the minimum delay in milliseconds that must pass between acceptance of the same LSA that is arriving between neighbors. Valid values are from 0 to 600,000 milliseconds.

Defaults

The default is 1000 millliseconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
IPv6 router configuration	•	—	•	—	—

Command History

Release	Modification
9.0(1)	This command was introduced.

Usage Guidelines

Use this command to indicate the minimum interval that must pass between acceptance of the same LSA that is arriving from neighbors.

Examples

The following example sets the minimum interval for accepting the same LSA at 2000 milliseconds:

hostname(config-if)# ipv6 router ospf 1

hostname(config-rtr)# log-adjacency-changes

hostname(config-rtr)# timers lsa arrival 2000

Related Commands

Command	Description
ipv6 router ospf	Enters router configuration mode for OSPFv3.
show ipv6 ospf	Displays general information about the OSPFv3 routing processes.
timers pacing flood	Configures LSA flood packet pacing for OSPFv3 routing processes.

timers lsa-group-pacing (OSPFv2)

To specify the interval at which OSPF link-state advertisements (LSAs) are collected into a group and refreshed, checksummed, or aged, use the timers lsa-group-pacing command in router configuration mode. To restore the default value, use the no form of this command.

timers lsa-group-pacing seconds

no timers lsa-group-pacing [seconds]

Syntax Description

seconds

The interval at which OSPF link-state advertisements (LSAs) are collected into a group and refreshed, checksummed, or aged. Valid values are from 10 to 1800 seconds.

Defaults

The default interval is 240 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Router configuration	•	—	•	—	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

To change the interval at which the OSPF link-state advertisements (LSAs) are collected into a group and refreshed, checksummed, or aged, use the timers lsa-group-pacing seconds command. To return to the default timer values, use the no timers lsa-group-pacing command.

Examples

The following example sets the group processing interval of LSAs to 500 seconds:

hostname(config-rtr)# timers lsa-group-pacing 500

hostname(config-rtr)# 

Related Commands

Command	Description
router ospf	Enters router configuration mode.
show ospf	Displays general information about the OSPF routing processes.
timers spf	Specifies the shortest path first (SPF) calculation delay and hold time

timers pacing flood (OSPFv3)

To configure LSA flood packet pacing, use the timers pacing flood command in IPv6 router configuration mode. To restore the default flood packet pacing value, use the no form of this command.

timers pacing flood milliseconds

no timers pacing flood milliseconds

Syntax Description

milliseconds

Specifies the time in milliseconds at which LSAs in the flooding queue are paced in-between updates. The configurable range is from 5 to 100 milliseconds.

Defaults

The default is 33 millliseconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
IPv6 router configuration	•	—	•	—	—

Command History

Release	Modification
9.0(1)	This command was introduced.

Usage Guidelines

Use this command to configure LSA flood packet pacing.

Examples

The following example configures LSA flood packet pacing updates to occur in 20-millisecond intervals for OSPFv3:

hostname(config-if)# ipv6 router ospf 1

hostname(config-rtr)# timers pacing flood 20

Related Commands

Command	Description
ipv6 router ospf	Enters IPv6 router configuration mode.
timers pacing lsa-group	Specifies the interval at which OSPFv3 LSAs are collected into a group and refreshed, check summed, or aged.

timers pacing lsa-group (OSPFv3)

To specify the interval at which OSPFv3 LSAs are collected into a group and refreshed, check summed, or aged, use the timers pacing lsa-group command in IPv6 router configuration mode. To restore the default value, use the no form of this command.

timers pacing lsa-group seconds

no timers pacing lsa-group [seconds]

Syntax Description

seconds

Specifies the number of seconds in the interval at which LSAs are collected into a group and refreshed, check summed, or aged. Valid values are from 10 to 1800 seconds.

Defaults

The default interval is 240 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
IPv6 router configuration	•	—	•	—	—

Command History

Release	Modification
9.0(1)	This command was introduced.

Usage Guidelines

Use this command to indicate the interval at which the OSPFv3 LSAs are collected into a group and refreshed, check summed, or aged.

Examples

The following example configures OSPFv3 group packet pacing updates between LSA groups to occur in 300-seconds intervals for OSPFv3 routing process 1:

hostname(config-if)# ipv6 router ospf 1

hostname(config-rtr)# timers pacing lsa-group 300

Related Commands

Command	Description
ipv6 router ospf	Enters IPv6 router configuration mode.
show ipv6 ospf	Displays general information about the OSPFv3 routing processes.
timers pacing flood	Configures LSA flood packet pacing for OSPFv3 routing processes.

timers spf

To specify the shortest path first (SPF) calculation delay and hold time, use the timers spf command in router configuration mode. To restore the default values, use the no form of this command.

timers spf delay holdtime

no timers spf [delay holdtime]

Syntax Description

delay	Specifies the delay time between when OSPF receives a topology change and when it starts a shortest path first (SPF) calculation in seconds, from 1 to 65535.
holdtime	The hold time between two consecutive SPF calculations in seconds; valid values are from 1 to 65535.

Defaults

The defaults are as follows:

•delay is 5 seconds.

•holdtime is 10 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Router configuration	•	—	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.
9.0(1)	Multiple context mode is supported.

Usage Guidelines

To configure the delay time between when the OSPF protocol receives a topology change and when it starts a calculation, and the hold time between two consecutive SPF calculations, use the timers spf command. To return to the default timer values, use the no timers spf command.

Examples

The following example sets the SPF calculation delay to 10 seconds and the SPF calculation hold time to 20 seconds:

hostname(config-router)# timers spf 10 20

hostname(config-router)#

Related Commands

Command	Description
router ospf	Enters router configuration mode.
show ospf	Displays general information about the OSPF routing processes.
timers lsa-group-pacing	Specifies the interval at which OSPF link-state advertisements (LSAs) are collected and refreshed, checksummed, or aged.

timers throttle

To configure LSA or SPF OSPFv3 throttling, use the timers throttle command in IPv6 router configuration mode. To remove the throttling configuration, use the no form of this command.

timers throttle [lsa | spf] milliseconds1 milliseconds2 milliseconds3

no timers throttle [lsa | spf]

Syntax Description

lsa	Configures OSPFv3 LSA throttling.
milliseconds1	Specifies the delay in milliseconds to generate the first occurrence of the LSA. Specifies the delay in milliseconds to receive a change to the SPF calculation.
milliseconds2	Specifies the maximum delay in milliseconds to originate the same LSA. Specifies the delay in milliseconds between the first and second SPF calculations.
milliseconds3	Specifies the minimum delay in milliseconds to originate the same LSA. Specifies the maximum wait time in milliseconds for SPF calculations.
spf	Configures OSPFv3 SPF throttling.

Defaults

LSA throttling:

•For milliseconds1, the default value is 0 milliseconds.

•For millseconds2, the default value is 5000 milliseconds.

•For milleseconds3, the default value is 5000 milliseconds.

SPF throttling:

•For milliseconds1, the default value is 5000 milliseconds.

•For millseconds2, the default value is 10000 milliseconds.

•For milleseconds3, the default value is 10000 milliseconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
IPv6 router configuration	•	—	•	•	—

Command History

Release	Modification
9.0(1)	This command was introduced.

Usage Guidelines

LSA and SPF throttling provide a dynamic mechanism to slow down LSA updates in OSPFv3 during times of network instability and allow faster OSPFv3 convergence by providing LSA rate limiting in milliseconds.

For LSA throttling, if the minimum or maximum time is less than the first occurrence value, then OSPFv3 automatically corrects to the first occurrence value. Similarly, if the maximum delay specified is less than the minimum delay, then OSPFv3 automatically corrects to the minimum delay value.

For SPF throttling, if milliseconds2 or milliseconds3 is less than milliseconds1, then OSPFv3 automatically corrects to the milliseconds1 value. Similarly, if milliseconds3 is less than milliseconds2, then OSPFv3 automatically corrects to the milliseconds2 value.

Examples

The following example configures OSPFv3 LSA throttling in milleseconds:

hostname(config)# ipv6 router ospf 10

hostname(config-rtr)# timers throttle lsa 100 4000 5000

For LSA throttling, the following example shows the automatic correction that occurs if the maximum delay value specified is less than the minimum delay value:

hostname(config)# ipv6 router ospf 10 

hostname(config-rtr)# timers throttle lsa 100 50 50

% OSPFv3: Throttle timers corrected to: 100 100 100

hostname(config-rtr)# show running-config ipv6 

ipv6 router ospf 10

 timers throttle lsa 100 100 100

The following example configures OSPFv3 SPF throttling in milleseconds:

hostname(config)# ipv6 router ospf 10

hostname(config-rtr)# timers throttle spf 6000 12000 14000

For SPF throttling, the following example shows the automatic correction that occurs if the maximum delay value specified is less than the minimum delay value:

hostname(config)# ipv6 router ospf 10 

hostname(config-rtr)# timers throttle spf 100 50 50

% OSPFv3: Throttle timers corrected to: 100 100 100

hostname(config-rtr)# show running-config ipv6 

ipv6 router ospf 10

 timers throttle spf 100 100 100

Related Commands

Command	Description
ipv6 router ospf	Enters IPv6 router configuration mode.
show ipv6 ospf	Displays general information about the OSPFv3 routing processes.
timers lsa-group-pacing	Specifies the interval at which OSPFv3 LSAs are collected and refreshed, checksummed, or aged.

title

To customize the title of the WebVPN page displayed to WebVPN users when they connect to the security appliance, use the title command from webvpn customization mode:

title {text | style} value

[no] title {text | style} value

To remove the command from the configuration and cause the value to be inherited, use the no form of the command.

Syntax Description

text	Specifies you are changing the text.
style	Specifies you are changing the style.
value	The actual text to display (maximum 256 characters), or Cascading Style Sheet (CSS) parameters (maximum 256 characters).

Defaults

The default title text is "WebVPN Service".

The default title style is:

background-color:white;color:maroon;border-bottom:5px groove #669999;font-size:larger;
vertical-align:middle;text-align:left;font-weight:bold

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Webvpn customization	•	—	•	—	—

Command History

Release	Modification
7.1(1)	This command was introduced.

Usage Guidelines

To have no title, use the title text command without a value argument.

The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.

Here are some tips for making the most common changes to the WebVPN pages—the page colors:

•You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML.

•RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others.

•HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue.

---

Note To easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities.

---

Examples

In the following example, the title is customized with the text "Cisco WebVPN Service":

hostname(config)# webvpn

hostname(config-webvpn)# customization cisco

hostname(config-webvpn-custom)# title text Cisco WebVPN Service

Related Commands

Command	Description
logo	Customizes the logo on the WebVPN page.
page style	Customizes the WebVPN page using Cascading Style Sheet (CSS) parameters.