Hi Ananatha,
I have never noticed that part of the description before : "it notifies
both parties that the connection has been terminated". I can only assume
that it sends a FIN packet in both directions after the timeout occurs
to fully close the connection, though I have not tested this specific
function in my lab, i.e. CBAC sending TCP packets on behalf of hosts.
Can anyone else confirm or otherwise explain the action of "ip inspect
tcp synwait-time".
Thanks, Andy
Anantha Subramanian Natarajan wrote:
> Hi Andy,
>
> Thank you very much for the explanation.I am trying to understand
> the below highlighted statement,how it notifies the parties that the
> connection is terminated,is it by sending some signal (Some thing like
> RST or ?) ....Kindly help me to understand
>
> "This command specifies how long the cisco IOS waits for a TCP session
> to be established (to complete three-way handshake).The default is 30
> seconds.If the three way handshake is not completed by end of this
> timeout,Cisco IOS removes the entry from its state table and the
> dynamic entry in the ACL(before FAB) and* it notifies both parties
> that the connection has been terminated*"
>
> Thanks for the help
>
> Regards
> Anantha Subramanian Natarajan
>
> On Sun, Sep 6, 2009 at 9:34 AM, Andy Reid <ccie_at_reid.it
> <mailto:ccie_at_reid.it>> wrote:
>
> Hi Anantha,
>
> The command "ip inspect tcp finwait-time" is used when waiting for
> the FIN packets (default is 5 seconds).
>
> The "ip inspect tcp synwait-time" is used to protect against half
> open sessions (default is 30 seconds) where the session never
> becomes fully established, and therefore FIN packets are never sent.
>
> regards Andy
>
> Anantha Subramanian Natarajan wrote:
>
> Hi All,
>
> I was going through CBAC and trying to understand the
> different global
> settings on the same.One of that was "ip inspect tcp
> synwait-time".The way
> in which understood was as stated below(Actually Just pasting the
> statements)
>
>
> "This command specifies how long the cisco IOS waits for a TCP
> session to be
> established (to complete three-way handshake).The default is
> 30 seconds.If
> the three way handshake is not completed by end of this
> timeout,Cisco IOS
> removes the entry from its state table and the dynamic entry
> in the
> ACL(before FAB) and it notifies both parties that the
> connection has been
> terminated"
>
> In the above I am trying to understood,what kind of
> notification it provides
> to both the parties when the timeout as reached ..Is it TCP
> RST or something
> different.
>
>
>
> Kindly let me know
>
>
>
> Thanks for the help
>
>
>
> Regards
>
> Anantha Subramanian Natarajan
>
>
> Blogs and organic groups at http://www.ccie.net
> <http://www.ccie.net/>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Mon Sep 07 2009 - 07:17:54 ART
This archive was generated by hypermail 2.2.0 : Sun Oct 04 2009 - 07:42:02 ART