If the firewall receives a Reset (RST) packet that cannot
be verified (because it has an unexpected sequence number within
the TCP window or it is from an asymmetric path), the Unverified
RST timer controls the aging out of the session. It defaults to 30
seconds; the range is 1-600 seconds. The Unverified RST timer provides
an additional security measure, explained in the second bullet below.