From: Radoslav Vasilev (deckland@gmail.com)
Date: Wed Sep 20 2006 - 20:32:33 ART
Hi,
This has already been discussed here - it's a workbook error calling
for a timer that is supported in the different tcp intercept mode.
Rado
On 9/14/06, sabrina pittarel <sabri_esame@yahoo.com> wrote:
> Oh,
> I see. You mean that there is some inconsinstency between the requirement of the router behaving has a proxy (intercept mode) and the generation of the RST.
>
> You are right, it is a mistake...and it was discussed few weeks back. Check the archives
>
> Sabrina
>
>
> ----- Original Message ----
> From: route flap <routeflap@gmail.com>
> To: sabrina pittarel <sabri_esame@yahoo.com>
> Cc: Cisco certification <ccielab@groupstudy.com>
> Sent: Thursday, September 14, 2006 8:45:09 AM
> Subject: Re: tcp Intercept timers
>
> Sabrina,
>
> Maybe I was not clear enough in my last email, but AFIAK the Watch-timeout command only works in TCP Intercept Watch Mode
> The default is intercerpt mode as you know
>
> thanks
> -RalF
>
> On 9/14/06, sabrina pittarel <sabri_esame@yahoo.com> wrote: I'm sure I'm missing your point.
> The question states that a reset should be sent. That calls for watch timeout...Are you referring to the fact that the default is already 30sec?
> Yes you are right:
>
> Rack1R3(config)#ip tcp intercept watch-timeout 30
> Rack1R3(config)#
> Rack1R3#
> Rack1R3#sh run | i watch
> Rack1R3#
>
> It only means that nothing needs to be done for the question
>
> Sabrina
>
> ----- Original Message ----
> From: route flap < routeflap@gmail.com>
> To: Cisco certification <ccielab@groupstudy.com>
> Sent: Thursday, September 14, 2006 6:41:39 AM
> Subject: tcp Intercept timers
>
> Hi Guys,
>
> While doing IEWB Lab 14 Task 9 if found this question that states:
>
> In the meantime configure R4 to be a proxy for all TCP sessions initiated to
> this server. And one of the inner bullets of the task says R4 should send a
> reset for any TCP sessions that have not reach the established state after
> 30 seconds.
>
> The solution is using: ip tcp intercept watch-timeout 30
>
> The Book of Richard A. Deal; Cisco Router Firewall Security ISBN :
> 1-58705-175-3 Says:
>
> *** The ip tcp intercept watch-timeout command specifies the maximum length
> of time that the router will wait, in watch mode, for a TCP connection to
> complete the three-way handshake. This value defaults to 30 seconds. If the
> connection is not reached in this time period, the router sends a reset to
> the server (destination).
>
> *** When a router with TCP Intercept enabled monitors a connection that is
> in the process of being torn down, it expects the connection to be torn down
> within 5 seconds, by default, from the receipt of a reset or FIN exchange.
> When this time period is reached, the router ceases to manage the
> connection. You can change this value with the ip tcp intercept
> finrst-timeout command
> Please advise.
> -RalF
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:41 ART