From: sabrina pittarel (sabri_esame@yahoo.com)
Date: Thu Sep 14 2006 - 12:39:16 ART
I'm sure I'm missing your point.
The question states that a reset should be sent. That calls for watch timeout...Are you referring to the fact that the default is already 30sec?
Yes you are right:
Rack1R3(config)#ip tcp intercept watch-timeout 30
Rack1R3(config)#
Rack1R3#
Rack1R3#sh run | i watch
Rack1R3#
It only means that nothing needs to be done for the question
Sabrina
----- Original Message ----
From: route flap <routeflap@gmail.com>
To: Cisco certification <ccielab@groupstudy.com>
Sent: Thursday, September 14, 2006 6:41:39 AM
Subject: tcp Intercept timers
Hi Guys,
While doing IEWB Lab 14 Task 9 if found this question that states:
In the meantime configure R4 to be a proxy for all TCP sessions initiated to
this server. And one of the inner bullets of the task says R4 should send a
reset for any TCP sessions that have not reach the established state after
30 seconds.
The solution is using: ip tcp intercept watch-timeout 30
The Book of Richard A. Deal; Cisco Router Firewall Security ISBN :
1-58705-175-3 Says:
*** The ip tcp intercept watch-timeout command specifies the maximum length
of time that the router will wait, in watch mode, for a TCP connection to
complete the three-way handshake. This value defaults to 30 seconds. If the
connection is not reached in this time period, the router sends a reset to
the server (destination).
*** When a router with TCP Intercept enabled monitors a connection that is
in the process of being torn down, it expects the connection to be torn down
within 5 seconds, by default, from the receipt of a reset or FIN exchange.
When this time period is reached, the router ceases to manage the
connection. You can change this value with the ip tcp intercept
finrst-timeout command
Please advise.
-RalF
This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:40 ART