From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Wed Sep 20 2006 - 21:43:47 ART
The watch command was left in the solutions from a previous version of
the task and should have been removed a while back. If you download the
solutions from our members' site you'll see that it was removed.
As far as the question itself goes there isn't a timer that needs to be
changed for the task if you understand TCP intercept. This means that
it's not asking for anything more than what is already done by default.
HTH,
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Radoslav Vasilev
Sent: Wednesday, September 20, 2006 4:33 PM
To: sabrina pittarel
Cc: route flap; Cisco certification
Subject: Re: tcp Intercept timers
Hi,
This has already been discussed here - it's a workbook error calling
for a timer that is supported in the different tcp intercept mode.
Rado
On 9/14/06, sabrina pittarel <sabri_esame@yahoo.com> wrote:
> Oh,
> I see. You mean that there is some inconsinstency between the
requirement of the router behaving has a proxy (intercept mode) and the
generation of the RST.
>
> You are right, it is a mistake...and it was discussed few weeks back.
Check the archives
>
> Sabrina
>
>
> ----- Original Message ----
> From: route flap <routeflap@gmail.com>
> To: sabrina pittarel <sabri_esame@yahoo.com>
> Cc: Cisco certification <ccielab@groupstudy.com>
> Sent: Thursday, September 14, 2006 8:45:09 AM
> Subject: Re: tcp Intercept timers
>
> Sabrina,
>
> Maybe I was not clear enough in my last email, but AFIAK the
Watch-timeout command only works in TCP Intercept Watch Mode
> The default is intercerpt mode as you know
>
> thanks
> -RalF
>
> On 9/14/06, sabrina pittarel <sabri_esame@yahoo.com> wrote: I'm sure
I'm missing your point.
> The question states that a reset should be sent. That calls for watch
timeout...Are you referring to the fact that the default is already
30sec?
> Yes you are right:
>
> Rack1R3(config)#ip tcp intercept watch-timeout 30
> Rack1R3(config)#
> Rack1R3#
> Rack1R3#sh run | i watch
> Rack1R3#
>
> It only means that nothing needs to be done for the question
>
> Sabrina
>
> ----- Original Message ----
> From: route flap < routeflap@gmail.com>
> To: Cisco certification <ccielab@groupstudy.com>
> Sent: Thursday, September 14, 2006 6:41:39 AM
> Subject: tcp Intercept timers
>
> Hi Guys,
>
> While doing IEWB Lab 14 Task 9 if found this question that states:
>
> In the meantime configure R4 to be a proxy for all TCP sessions
initiated to
> this server. And one of the inner bullets of the task says R4 should
send a
> reset for any TCP sessions that have not reach the established state
after
> 30 seconds.
>
> The solution is using: ip tcp intercept watch-timeout 30
>
> The Book of Richard A. Deal; Cisco Router Firewall Security ISBN :
> 1-58705-175-3 Says:
>
> *** The ip tcp intercept watch-timeout command specifies the maximum
length
> of time that the router will wait, in watch mode, for a TCP connection
to
> complete the three-way handshake. This value defaults to 30 seconds.
If the
> connection is not reached in this time period, the router sends a
reset to
> the server (destination).
>
> *** When a router with TCP Intercept enabled monitors a connection
that is
> in the process of being torn down, it expects the connection to be
torn down
> within 5 seconds, by default, from the receipt of a reset or FIN
exchange.
> When this time period is reached, the router ceases to manage the
> connection. You can change this value with the ip tcp intercept
> finrst-timeout command
> Please advise.
> -RalF
>
>
This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:41 ART