From: Huan Pham (pnhuan@yahoo.com)
Date: Mon Nov 17 2008 - 18:43:03 ARST
Hi Luan,
Thanks for looking into this.
The command you suggested "show tcp intercept conn" is a good command to see
the intercept timer in action ;-)
I can see that when the connection has been created for 1 minute, the
"timeout" timer reset at that point. It looks as if the connection is not
idle, and I can infact see some packets exchange, based on "debug ip packet"
on R1. However, I can not tell if this is genuine activity between R1 and BB1,
or it is R4 who generates these packets on behalf of the two end points.
But if i do "debug ip packet detail" on R4 to see what is going on, then TCP
Intercept sundently behaves correctly, and terminates the connection "on time"
after the connection-timeout period! It looks as if IOS is doing a bad thing,
and when the cop comes, it correct itself :-)
Something is weird, and I guess this could be an IOS bug.
Thanks for helping again. Your suggested "sh tcp inter conn" does help!
Rack1R4#show version | in IOS
Cisco IOS Software, 3600 Software (C3640-JK9O3S-M), Version 12.4(5a), RELEASE
SOFTWARE (fc3)
Rack1R4#
Nov 18 07:18:46.463: INTERCEPT: new connection (155.1.146.1:28363 SYN ->
204.12.1.254:23)
Nov 18 07:18:46.463: INTERCEPT(*): (155.1.146.1:28363 <- ACK+SYN
204.12.1.254:23)
Nov 18 07:18:46.467: INTERCEPT: 1st half of connection is established
(155.1.146.1:28363 ACK -> 204.12.1.254:23)
Nov 18 07:18:46.471: INTERCEPT(*): (155.1.146.1:28363 SYN -> 204.12.1.254:23)
Nov 18 07:18:46.491: INTERCEPT: 2nd half of connection established
(155.1.146.1:28363 <- ACK+SYN 204.12.1.254:23)
Nov 18 07:18:46.491: INTERCEPT(*): (155.1.146.1:28363 ACK -> 204.12.1.254:23)
Nov 18 07:18:46.491: INTERCEPT(*): (155.1.146.1:28363 <- WINDOW
204.12.1.254:23)
Rack1R4#
Rack1R4#
Rack1R4#
Rack1R4#show tcp inter conn
Incomplete:
Client Server State Create Timeout Mode
Established:
Client Server State Create Timeout Mode
155.1.146.1:28363 204.12.1.254:23 ESTAB 00:00:08 00:00:51 I
Rack1R4#show tcp inter conn
Incomplete:
Client Server State Create Timeout Mode
Established:
Client Server State Create Timeout Mode
155.1.146.1:28363 204.12.1.254:23 ESTAB 00:00:37 00:00:22 I
Rack1R4#show tcp inter conn
Incomplete:
Client Server State Create Timeout Mode
Established:
Client Server State Create Timeout Mode
155.1.146.1:28363 204.12.1.254:23 ESTAB 00:01:15 00:00:44 I
Rack1R4#show tcp inter conn
Incomplete:
Client Server State Create Timeout Mode
Established:
Client Server State Create Timeout Mode
155.1.146.1:28363 204.12.1.254:23 ESTAB 00:01:58 00:00:01 I
Rack1R4#
Nov 18 07:20:46.511: INTERCEPT: ESTAB timing out (155.1.146.1:28363 <->
204.12.1.254:23)
Nov 18 07:20:46.511: INTERCEPT(*): (155.1.146.1:28363 <- RST 204.12.1.254:23)
Nov 18 07:20:46.511: INTERCEPT(*): (155.1.146.1:28363 RST -> 204.12.1.254:23)
--- On Tue, 11/18/08, Luan Nguyen <luan@netcraftsmen.net> wrote:
From: Luan Nguyen <luan@netcraftsmen.net>
Subject: RE: TCP Intercept connection-timeout timer
To: "'Huan Pham'" <Huan.Pham@peopletelecom.com.au>, "'Cisco certification'"
<ccielab@groupstudy.com>
Date: Tuesday, November 18, 2008, 6:07 AM
Are you absolutely sure the connection is idle? :)
Anyhow, what does "show tcp intercept conn" show?
Mine always terminate "on-time"
Regards,
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net
(aim/yahoo/gtalk): luancnc
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Huan
Pham
Sent: Monday, November 17, 2008 12:37 AM
To: Cisco certification
Subject: TCP Intercept connection-timeout timer
Hi,
I am playing with TCP Connection-timeout timer. Topo is as below.
R1 ------------ R4 --------------- BB1
155.1.146.1 204.12.1.254
R4 does TCP intercept. I am trying to verify the effect of the command
"ip tcp intercept connection-timeout"
I am testing TCP intercept connection timeout timer, by telnet from R1
to BB1 and let that connection idle (i.e. I do not type anything once I
sucessfully telnet to BB1). R4 should disconnect this idle TCP session
within a configurable "connection-timeout" period. But what I see is
that it always terminates TCP idle sessions 1 minutes later that it
should. For instance, if I configure the connection-timout timer as 1
minute, then idle TCP sessions are terminated after 2 minutes of no
activity !
Where does that additional 1 minute come from? Any idea please? Many
thanks.
Regards,
Rack1R1#telnet 204.12.1.254
Trying 204.12.1.254 ... Open
BB3>
Rack1R4#sh run | in tcp
ip tcp synwait-time 300
ip tcp intercept list 199
ip tcp intercept connection-timeout 60
access-list 199 permit tcp any host 204.12.1.254
Rack1R4#
*Apr 7 23:12:55.134: INTERCEPT: new connection (155.1.146.1:52825 SYN
-> 204.12.1.254:23)
*Apr 7 23:12:55.134: INTERCEPT(*): (155.1.146.1:52825 <- ACK+SYN
204.12.1.254:23)
*Apr 7 23:12:55.134: INTERCEPT: 1st half of connection is established
(155.1.146.1:52825 ACK -> 204.12.1.254:23)
*Apr 7 23:12:55.138: INTERCEPT(*): (155.1.146.1:52825 SYN ->
204.12.1.254:23)
*Apr 7 23:12:55.158: INTERCEPT: 2nd half of connection established
(155.1.146.1:52825 <- ACK+SYN 204.12.1.254:23)
*Apr 7 23:12:55.158: INTERCEPT(*): (155.1.146.1:52825 ACK ->
204.12.1.254:23)
*Apr 7 23:12:55.158: INTERCEPT(*): (155.1.146.1:52825 <- WINDOW
204.12.1.254:23)
*Apr 7 23:14:55.166: INTERCEPT: ESTAB timing out (155.1.146.1:52825 <->
204.12.1.254:23)
*Apr 7 23:14:55.166: INTERCEPT(*): (155.1.146.1:52825 <- RST
204.12.1.254:23)
*Apr 7 23:14:55.166: INTERCEPT(*): (155.1.146.1:52825 RST ->
204.12.1.254:23)
Rack1R4#c
Enter configuration commands, one per line. End with CNTL/Z.
Rack1R4(config)#ip tcp intercept connection-timeout 120
command accepted, interfaces with mls configured might cause
inconsistent behavior
Rack1R4#
*Apr 7 23:21:52.006: INTERCEPT: new connection (155.1.146.1:29099 SYN
-> 204.12.1.254:23)
*Apr 7 23:21:52.010: INTERCEPT(*): (155.1.146.1:29099 <- ACK+SYN
204.12.1.254:23)
*Apr 7 23:21:52.010: INTERCEPT: 1st half of connection is established
(155.1.146.1:29099 ACK -> 204.12.1.254:23)
*Apr 7 23:21:52.010: INTERCEPT(*): (155.1.146.1:29099 SYN ->
204.12.1.254:23)
*Apr 7 23:21:52.034: INTERCEPT: 2nd half of connection established
(155.1.146.1:29099 <- ACK+SYN 204.12.1.254:23)
*Apr 7 23:21:52.034: INTERCEPT(*): (155.1.146.1:29099 ACK ->
204.12.1.254:23)
*Apr 7 23:21:52.034: INTERCEPT(*): (155.1.146.1:29099 <- WINDOW
204.12.1.254:23)
*Apr 7 23:24:52.042: INTERCEPT: ESTAB timing out (155.1.146.1:29099 <->
204.12.1.254:23)
*Apr 7 23:24:52.042: INTERCEPT(*): (155.1.146.1:29099 <- RST
204.12.1.254:23)
*Apr 7 23:24:52.042: INTERCEPT(*): (155.1.146.1:29099 RST ->
204.12.1.254:23)
Rack1R4#c
Enter configuration commands, one per line. End with CNTL/Z.
Rack1R4(config)#ip tcp intercept connection-timeout 150
command accepted, interfaces with mls configured might cause
inconsistent behavior
Rack1R4#
*Apr 7 23:26:25.934: INTERCEPT: new connection (155.1.146.1:19604 SYN
-> 204.12.1.254:23)
*Apr 7 23:26:25.934: INTERCEPT(*): (155.1.146.1:19604 <- ACK+SYN
204.12.1.254:23)
*Apr 7 23:26:25.934: INTERCEPT: 1st half of connection is established
(155.1.146.1:19604 ACK -> 204.12.1.254:23)
*Apr 7 23:26:25.938: INTERCEPT(*): (155.1.146.1:19604 SYN ->
204.12.1.254:23)
*Apr 7 23:26:25.958: INTERCEPT: 2nd half of connection established
(155.1.146.1:19604 <- ACK+SYN 204.12.1.254:23)
*Apr 7 23:26:25.958: INTERCEPT(*): (155.1.146.1:19604 ACK ->
204.12.1.254:23)
*Apr 7 23:26:25.958: INTERCEPT(*): (155.1.146.1:19604 <- WINDOW
204.12.1.254:23)
*Apr 7 23:29:55.970: INTERCEPT: ESTAB timing out (155.1.146.1:19604 <->
204.12.1.254:23)
*Apr 7 23:29:55.970: INTERCEPT(*): (155.1.146.1:19604 <- RST
204.12.1.254:23)
*Apr 7 23:29:55.970: INTERCEPT(*): (155.1.146.1:19604 RST ->
204.12.1.254:23)
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:30 ARST