7.2(4) code for the ASA

Unanswered Question


I have just come across the following issue: Sysopt seems to be missing in the 7.2(4) code? or has this change?


ciscoasa# sh run sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

sysopt connection permit-vpn


ciscoasa# sh run sysopt

ciscoasa# <no output>

ciscoasa(config)# sysopt connection ?

configure mode commands/options:

permit-vpn Exempt VPN traffic from access check

tcpmss Set maximum TCP MSS limit, specify keyword minimum to configure

minimum TCP MSS limit. Defaults for maximum and minimum limits

are 1380 and 0 bytes respectively

timewait TCP connection undergoes TIMEWAIT state

ciscoasa(config)# sysopt connection permit-vpn

ciscoasa(config)# sh run sysopt

ciscoasa(config)# <no output>


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Farrukh Haroon Thu, 08/14/2008 - 11:26
User Badges:
  • Red, 2250 points or more

Seems to be a bug, they fixed an older bug in 7.2(4) as per the Bug Tooklit:



Commands that are system defaults do not show up in the

typical "show running-config" output. The purpose of the "show running-config all" command

is to allow all configured commands both default and non-default to be viewed in one output.

For PIX/ASA, the output of the command "show running-config all" should

include the the configured sysopt commands such as

"sysopt connection tcpmss 1380" which at present, it does not.

ciscoasa# sh run all | incl sys

ciscoasa# sh run all | incl sysopt



Some "sysopt" commands are on as system defaults and do not show in the running configuration output. However, the "show running-config all" output is supposed to show

all commands in the running configuration including the defaults like some sysopt commands. This issue is purely cosmetic and does not affect the operation of the PIX/ASA.


Or perhaps you can only see the non-default commands using show run sysopt now (after the fix), and for default commands you have to do:

show run all | inc sysopt

You can check this by configuring a non-default config for one of the sysopt commands.



slug420 Thu, 08/14/2008 - 13:27
User Badges:

the command exists

it is (no) sysopt connection permit-vpn

it only shows up in a show run/show conf when it is disabled and it is enabled by default


This Discussion