Re: ip tcp intercept watch-timeout <#of seconds>

From: Mark Lasarko (mlasarko@co.ba.md.us)
Date: Thu Jan 06 2005 - 20:04:32 GMT-3

• Next message: Anand Singh: "RE: Opinions wanted"
• Previous message: Sheahan, John: "TTL PING Metrics"
• Maybe in reply to: ccie2be: "ip tcp intercept watch-timeout <#of seconds>"
• Next in thread: ccie2be: "Re: ip tcp intercept watch-timeout <#of seconds>"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

My logic is that SYN requests through to the host being protected were
what this command tracked, and that would only occur in passive (watch)
mode, not intercept, since the SYN is not allowed to simply pass through
in intercept mode.
 
That said, I see your point clearly, good question.
~M

>>> "ccie2be" <ccie2be@nyc.rr.com> 1/6/2005 5:31:17 PM >>>

Hmmm, you may be right but this is what the documentation says:

"By default, the software waits for 30 seconds for a watched connection
to
reach established state before sending a Reset to the server. To change
this
value, use the following command in global configuration mode: "

By saying the router waits 30 seconds "to reach established state",
that
could apply to either intercept or watch mode, couldn't it?

At least, that must mean the router is waiting for the third "leg" of
the
tcp handshake, so I don't think that since the router

immediately sends a syn-ack infers the answer to this, but I'm not
sure.

----- Original Message -----
From: "Mark Lasarko" <mlasarko@co.ba.md.us>
To: <ccielab@groupstudy.com>; <ccie2be@nyc.rr.com>
Sent: Thursday, January 06, 2005 5:18 PM
Subject: Re: ip tcp intercept watch-timeout <#of seconds>

> Greetings Tim,
>
> I think this command only applies to the watch mode because as I
> understand it, in (default) intercept mode, the router automatically
> responds to the SYN request immediately on behalf of the host via
> SYN-ACK, and waits for an ACK from the client before allowing the
> connection through.
>
> Therefore I do not believe this setting would be applicable to
> intercept mode, only passive/watch since in intercept mode there is
> nothing, no SYN open... that is, to "watch".
>
> Make sense?
>
> Please somebody correct me if I am wrong - I might have some configs
to
> update :)
>
> Best,
> ~M
>
>
> >>> "ccie2be" <ccie2be@nyc.rr.com> 1/6/2005 4:55:45 PM >>>
>
> Hi guys,
>
> Does the above command apply to both tcp intercept modes: intercept
> and
> watch, or just the watch mode?
>
> TIA, Tim
>
>

• Next message: Anand Singh: "RE: Opinions wanted"
• Previous message: Sheahan, John: "TTL PING Metrics"
• Maybe in reply to: ccie2be: "ip tcp intercept watch-timeout <#of seconds>"
• Next in thread: ccie2be: "Re: ip tcp intercept watch-timeout <#of seconds>"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Feb 02 2005 - 22:10:19 GMT-3