RE: TCP Intercept timeout

From: Tom Lijnse (Tom.Lijnse@globalknowledge.nl)
Date: Thu Jun 30 2005 - 05:41:22 GMT-3

• Next message: Sheikh Rahman: "RE: MSDP and MBGP question"
• Previous message: Tom Lijnse: "RE: Police with random detect"
• Maybe in reply to: gladston@br.ibm.com: "TCP Intercept timeout"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

Yes, that is correct.

In watch mode all the router does is monitor the initial handshake and
if it does not complete send a RST to the server to clear the session.

In intercept mode the router acts as a man-in-the-middle for the
duration of the session: The router 'manages' the session as they phrase
it in the documentation. If you look at the definition of the connection
timeout you'll see that it reads.

"To change how long a TCP connection will be managed by the TCP
intercept after no activity, use the ip tcp intercept connection-timeout
command"

Even though they don't mention this specifically I'd say that it should
be clear that this applies only to intercept mode, since watch mode does
not 'manage' the session.

So it seems that your test results are in sync with the documentation.

Regards,

Tom Lijnse

CCIE #11031
Global Knowledge

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
gladston@br.ibm.com
Sent: woensdag 29 juni 2005 20:54
To: ccielab@groupstudy.com
Subject: TCP Intercept timeout

Hi,

Cisco pages does not say it and Deal's book neither, but tests show 'ip
tcp intercept connection-timeout' only works for Intercept mode.

Do you get the same result?

*Mar 1 07:03:23: INTERCEPT: new connection (148.5.14.4:11060 SYN ->
150.100.1.254:23)
*Mar 1 07:03:23: INTERCEPT(*): (148.5.14.4:11060 <- ACK+SYN
150.100.1.254:23)
*Mar 1 07:03:23: INTERCEPT: 1st half of connection is established
(148.5.14.4:11060 ACK -> 150.100.1.254:23)
*Mar 1 07:03:23: INTERCEPT(*): (148.5.14.4:11060 SYN ->
150.100.1.254:23)
*Mar 1 07:03:23: INTERCEPT: 2nd half of connection established
(148.5.14.4:11060 <- ACK+SYN 150.100.1.254:23)
*Mar 1 07:03:23: INTERCEPT(*): (148.5.14.4:11060 ACK ->
150.100.1.254:23)
*Mar 1 07:03:23: INTERCEPT(*): (148.5.14.4:11060 <- WINDOW
150.100.1.254:23)

*Mar 1 07:03:56: INTERCEPT: ESTAB timing out (148.5.14.4:11060 <->
150.100.1.254:23)
*Mar 1 07:03:56: INTERCEPT(*): (148.5.14.4:11060 <- RST
150.100.1.254:23)
*Mar 1 07:03:56: INTERCEPT(*): (148.5.14.4:11060 RST ->
150.100.1.254:23)

Rack2R1(config)#ip tcp intercept mode watch

*Mar 1 07:06:46: INTERCEPT: new connection (148.5.14.4:11063 SYN ->
150.100.1.2
54:23)
*Mar 1 07:06:46: INTERCEPT: (148.5.14.4:11063 <- ACK+SYN
150.100.1.254:23)
*Mar 1 07:06:46: INTERCEPT: (148.5.14.4:11063 ACK -> 150.100.1.254:23)

The connection is never timeout when configured for watch mode.

• Next message: Sheikh Rahman: "RE: MSDP and MBGP question"
• Previous message: Tom Lijnse: "RE: Police with random detect"
• Maybe in reply to: gladston@br.ibm.com: "TCP Intercept timeout"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:46 GMT-3