Hi Andy,
I understood that statement from "Cisco router firewall security" by
Richard A.Deal Chapetr 9(Context-based ccess control),page 401.Thanks for
your time on sharing your understanding.
Regards
Anantha Subramanian Natarajan
On Sun, Sep 6, 2009 at 6:17 PM, Andy Reid <ccie_at_reid.it> wrote:
> Hi Ananatha,
>
> I have never noticed that part of the description before : "it notifies
> both parties that the connection has been terminated". I can only assume
> that it sends a FIN packet in both directions after the timeout occurs to
> fully close the connection, though I have not tested this specific function
> in my lab, i.e. CBAC sending TCP packets on behalf of hosts.
> Can anyone else confirm or otherwise explain the action of "ip inspect tcp
> synwait-time".
>
> Thanks, Andy
>
>
> Anantha Subramanian Natarajan wrote:
>
> Hi Andy,
>
> Thank you very much for the explanation.I am trying to understand the
> below highlighted statement,how it notifies the parties that the connection
> is terminated,is it by sending some signal (Some thing like RST or ?)
> ....Kindly help me to understand
>
> "This command specifies how long the cisco IOS waits for a TCP session to
> be established (to complete three-way handshake).The default is 30
> seconds.If the three way handshake is not completed by end of this
> timeout,Cisco IOS removes the entry from its state table and the dynamic
> entry in the ACL(before FAB) and* it notifies both parties that the
> connection has been terminated*"
>
> Thanks for the help
>
> Regards
> Anantha Subramanian Natarajan
>
> On Sun, Sep 6, 2009 at 9:34 AM, Andy Reid <ccie_at_reid.it> wrote:
>
>> Hi Anantha,
>>
>> The command "ip inspect tcp finwait-time" is used when waiting for the FIN
>> packets (default is 5 seconds).
>>
>> The "ip inspect tcp synwait-time" is used to protect against half open
>> sessions (default is 30 seconds) where the session never becomes fully
>> established, and therefore FIN packets are never sent.
>>
>> regards Andy
>>
>> Anantha Subramanian Natarajan wrote:
>>
>>> Hi All,
>>>
>>> I was going through CBAC and trying to understand the different global
>>> settings on the same.One of that was "ip inspect tcp synwait-time".The
>>> way
>>> in which understood was as stated below(Actually Just pasting the
>>> statements)
>>>
>>>
>>> "This command specifies how long the cisco IOS waits for a TCP session to
>>> be
>>> established (to complete three-way handshake).The default is 30
>>> seconds.If
>>> the three way handshake is not completed by end of this timeout,Cisco IOS
>>> removes the entry from its state table and the dynamic entry in the
>>> ACL(before FAB) and it notifies both parties that the connection has been
>>> terminated"
>>>
>>> In the above I am trying to understood,what kind of notification it
>>> provides
>>> to both the parties when the timeout as reached ..Is it TCP RST or
>>> something
>>> different.
>>>
>>>
>>>
>>> Kindly let me know
>>>
>>>
>>>
>>> Thanks for the help
>>>
>>>
>>>
>>> Regards
>>>
>>> Anantha Subramanian Natarajan
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sun Sep 06 2009 - 19:19:32 ART
This archive was generated by hypermail 2.2.0 : Sun Oct 04 2009 - 07:42:02 ART