From: ccie2be (ccie2be@nyc.rr.com)
Date: Thu Jan 06 2005 - 20:29:01 GMT-3
Mark,
According to Brian McGahan, ip tcp intercept watch-timeout, SHOULD work in
either mode.
But, I couldn't find anything more definitive than that.
On the other hand, if you use the "?" when you enter the command, here's
what you get:
Rack1R4(config)#ip tcp intercept ?
watch-timeout Specify timeout for incomplete connections in watch
mode
Notice, the help explicitly says, "watch mode".
So, I'm still hoping for the true, definitive answer to come forward.
But, on the other hand, in the real lab, if we were asked something similar,
we could probably assume
that the command does apply to intercept mode because otherwise they
wouldn't ask us to do it.
Thanks for your responses, Tim
----- Original Message -----
From: "Mark Lasarko" <mlasarko@co.ba.md.us>
To: <ccielab@groupstudy.com>; <ccie2be@nyc.rr.com>
Sent: Thursday, January 06, 2005 6:04 PM
Subject: Re: ip tcp intercept watch-timeout <#of seconds>
> My logic is that SYN requests through to the host being protected were
> what this command tracked, and that would only occur in passive (watch)
> mode, not intercept, since the SYN is not allowed to simply pass through
> in intercept mode.
>
> That said, I see your point clearly, good question.
> ~M
>
> >>> "ccie2be" <ccie2be@nyc.rr.com> 1/6/2005 5:31:17 PM >>>
>
> Hmmm, you may be right but this is what the documentation says:
>
> "By default, the software waits for 30 seconds for a watched connection
> to
> reach established state before sending a Reset to the server. To change
> this
> value, use the following command in global configuration mode: "
>
> By saying the router waits 30 seconds "to reach established state",
> that
> could apply to either intercept or watch mode, couldn't it?
>
> At least, that must mean the router is waiting for the third "leg" of
> the
> tcp handshake, so I don't think that since the router
>
> immediately sends a syn-ack infers the answer to this, but I'm not
> sure.
>
>
>
> ----- Original Message -----
> From: "Mark Lasarko" <mlasarko@co.ba.md.us>
> To: <ccielab@groupstudy.com>; <ccie2be@nyc.rr.com>
> Sent: Thursday, January 06, 2005 5:18 PM
> Subject: Re: ip tcp intercept watch-timeout <#of seconds>
>
>
> > Greetings Tim,
> >
> > I think this command only applies to the watch mode because as I
> > understand it, in (default) intercept mode, the router automatically
> > responds to the SYN request immediately on behalf of the host via
> > SYN-ACK, and waits for an ACK from the client before allowing the
> > connection through.
> >
> > Therefore I do not believe this setting would be applicable to
> > intercept mode, only passive/watch since in intercept mode there is
> > nothing, no SYN open... that is, to "watch".
> >
> > Make sense?
> >
> > Please somebody correct me if I am wrong - I might have some configs
> to
> > update :)
> >
> > Best,
> > ~M
> >
> >
> > >>> "ccie2be" <ccie2be@nyc.rr.com> 1/6/2005 4:55:45 PM >>>
> >
> > Hi guys,
> >
> > Does the above command apply to both tcp intercept modes: intercept
> > and
> > watch, or just the watch mode?
> >
> > TIA, Tim
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Feb 02 2005 - 22:10:19 GMT-3