RE: ip tcp intercept watch-timeout

From: Lord, Chris (chris.lord@lorien.co.uk)
Date: Fri Sep 10 2004 - 17:19:16 GMT-3

• Next message: Andy Mrozek: "Re: Re: Setting Frame-Relay DE to 1"
• Previous message: gladston@br.ibm.com: "Re: netmaster class (OT)"
• Maybe in reply to: Peng Zheng: "ip tcp intercept watch-timeout"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Both "intercept mode" and "watch mode" monitor (or watch) the duration of incomplete tcp sessions and close them down after a period of time (watch-time).

When operating in "intercept" mode (proxy) the watch-time is fixed at 30 seconds until the number of incomplete sessions reach an upper threshold (one-minute-high). At this point it needs to start closing down incomplete sessions more quickly to protect the server so it goes into agressive mode, which simply means it only waits for 15 seconds before closing sessions instead of 30 seconds. The 30 sec and 15 sec watch-times are fixed and not configurable.

When operating in "watch" mode (passive) the watch-time is configurable to a value of your choosing.

Regards,

Chris

-----Original Message-----
From: Peng Zheng [mailto:zpnist@yahoo.com]
Sent: 10 September 2004 17:18
To: Lord, Chris; ccielab@groupstudy.com
Subject: RE: ip tcp intercept watch-timeout

What is the meaning of "During aggressive
mode, the watch timeout time is cut in half."?

--- "Lord, Chris" <chris.lord@lorien.co.uk> wrote:

> When using "intercept mode" you cannot influence the
> default timers using "ip tcp intercept watch-timeout
> 20" - these timers are fixed.
>
> If you want to change the operation of tcp intercept
> you have to configure it for "watch mode" THEN use
> "watch-timeout" - you must do both of these.
>
> Chris.
>
> -----Original Message-----
> From: Peng Zheng [mailto:zpnist@yahoo.com]
> Sent: 10 September 2004 06:35
> To: ccielab@groupstudy.com
> Subject: ip tcp intercept watch-timeout
>
>
> From the link:
>
>
http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_command_reference_chapter09186a00800d9805.html#1017995
>
> I found this:
>
> "Use this command if you have set the TCP intercept
> to
> passive watch mode and you want to change the
> default
> time the connection is watched. During aggressive
> mode, the watch timeout time is cut in half."
>
> Does that mean if I want to set timeout to 10
> seconds
> for intercept mode, I should use:
>
> ip tcp intercept watch-timeout 20
>
> Any idea?
>
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail is new and improved - Check it out!
> http://promotions.yahoo.com/new_mail
>
>

• Next message: Andy Mrozek: "Re: Re: Setting Frame-Relay DE to 1"
• Previous message: gladston@br.ibm.com: "Re: netmaster class (OT)"
• Maybe in reply to: Peng Zheng: "ip tcp intercept watch-timeout"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Oct 01 2004 - 15:00:41 GMT-3