Re: tcp Intercept timers

From: sabrina pittarel (sabri_esame@yahoo.com)
Date: Thu Sep 14 2006 - 14:10:48 ART

• Next message: Brian Dennis: "RE: How to avoide SPAM attack"
• Previous message: Andi Bennett: "IPV4 addressing to IPV6 address - how?"
• Maybe in reply to: route flap: "tcp Intercept timers"
• Next in thread: Radoslav Vasilev: "Re: tcp Intercept timers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Oh,
 I see. You mean that there is some inconsinstency between the requirement of the router behaving has a proxy (intercept mode) and the generation of the RST.
 
 You are right, it is a mistake...and it was discussed few weeks back. Check the archives
 
 Sabrina
 

----- Original Message ----
From: route flap <routeflap@gmail.com>
To: sabrina pittarel <sabri_esame@yahoo.com>
Cc: Cisco certification <ccielab@groupstudy.com>
Sent: Thursday, September 14, 2006 8:45:09 AM
Subject: Re: tcp Intercept timers

Sabrina,

Maybe I was not clear enough in my last email, but AFIAK the Watch-timeout command only works in TCP Intercept Watch Mode
The default is intercerpt mode as you know

thanks
-RalF

 On 9/14/06, sabrina pittarel <sabri_esame@yahoo.com> wrote: I'm sure I'm missing your point.
 The question states that a reset should be sent. That calls for watch timeout...Are you referring to the fact that the default is already 30sec?
 Yes you are right:
 
 Rack1R3(config)#ip tcp intercept watch-timeout 30
 Rack1R3(config)#
 Rack1R3#
 Rack1R3#sh run | i watch
 Rack1R3#
 
 It only means that nothing needs to be done for the question
 
 Sabrina

----- Original Message ----
From: route flap < routeflap@gmail.com>
To: Cisco certification <ccielab@groupstudy.com>
Sent: Thursday, September 14, 2006 6:41:39 AM
Subject: tcp Intercept timers

Hi Guys,

While doing IEWB Lab 14 Task 9 if found this question that states:

In the meantime configure R4 to be a proxy for all TCP sessions initiated to
this server. And one of the inner bullets of the task says R4 should send a
reset for any TCP sessions that have not reach the established state after
30 seconds.

 The solution is using: ip tcp intercept watch-timeout 30

 The Book of Richard A. Deal; Cisco Router Firewall Security ISBN :
1-58705-175-3 Says:

*** The ip tcp intercept watch-timeout command specifies the maximum length
of time that the router will wait, in watch mode, for a TCP connection to
complete the three-way handshake. This value defaults to 30 seconds. If the
connection is not reached in this time period, the router sends a reset to
the server (destination).

*** When a router with TCP Intercept enabled monitors a connection that is
in the process of being torn down, it expects the connection to be torn down
within 5 seconds, by default, from the receipt of a reset or FIN exchange.
When this time period is reached, the router ceases to manage the
connection. You can change this value with the ip tcp intercept
finrst-timeout command
Please advise.
-RalF

• Next message: Brian Dennis: "RE: How to avoide SPAM attack"
• Previous message: Andi Bennett: "IPV4 addressing to IPV6 address - how?"
• Maybe in reply to: route flap: "tcp Intercept timers"
• Next in thread: Radoslav Vasilev: "Re: tcp Intercept timers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:40 ART