Re: CBAC

My understanding is that it sends TCP RST in both directions, although
I couldn't come up with a direct quote to offer as proof (plenty of
quotes that state that as fact where TCP intercept is concerned, but
not CBAC specifically). A TCP FIN wouldn't be my first guess, as
that's the means of closing an *established* socket. What we're
dealing with here is half-open connections instead. So my vote is on
a RST, but I'm not sure how to lab this up. A means to generate a TCP
SYN followed by nothing else would be required. No doubt such a thing
exists but I'm just not sure I have it readily available on any of my
existing lab gear. Anyone else?

On Sep 6, 2009, at 5:17 , Andy Reid wrote:

> Hi Ananatha,
>
> I have never noticed that part of the description before : "it
> notifies
> both parties that the connection has been terminated". I can only
> assume
> that it sends a FIN packet in both directions after the timeout occurs
> to fully close the connection, though I have not tested this specific
> function in my lab, i.e. CBAC sending TCP packets on behalf of hosts.
> Can anyone else confirm or otherwise explain the action of "ip inspect
> tcp synwait-time".
>
> Thanks, Andy
>
> Anantha Subramanian Natarajan wrote:
>> Hi Andy,
>>
>> Thank you very much for the explanation.I am trying to understand
>> the below highlighted statement,how it notifies the parties that the
>> connection is terminated,is it by sending some signal (Some thing
>> like
>> RST or ?) ....Kindly help me to understand
>>
>> "This command specifies how long the cisco IOS waits for a TCP
>> session
>> to be established (to complete three-way handshake).The default is 30
>> seconds.If the three way handshake is not completed by end of this
>> timeout,Cisco IOS removes the entry from its state table and the
>> dynamic entry in the ACL(before FAB) and* it notifies both parties
>> that the connection has been terminated*"
>>
>> Thanks for the help
>>
>> Regards
>> Anantha Subramanian Natarajan
>>
>> On Sun, Sep 6, 2009 at 9:34 AM, Andy Reid <ccie_at_reid.it
>> <mailto:ccie_at_reid.it>> wrote:
>>
>> Hi Anantha,
>>
>> The command "ip inspect tcp finwait-time" is used when waiting for
>> the FIN packets (default is 5 seconds).
>>
>> The "ip inspect tcp synwait-time" is used to protect against half
>> open sessions (default is 30 seconds) where the session never
>> becomes fully established, and therefore FIN packets are never
>> sent.
>>
>> regards Andy
>>
>> Anantha Subramanian Natarajan wrote:
>>
>> Hi All,
>>
>> I was going through CBAC and trying to understand the
>> different global
>> settings on the same.One of that was "ip inspect tcp
>> synwait-time".The way
>> in which understood was as stated below(Actually Just
>> pasting the
>> statements)
>>
>>
>> "This command specifies how long the cisco IOS waits for a TCP
>> session to be
>> established (to complete three-way handshake).The default is
>> 30 seconds.If
>> the three way handshake is not completed by end of this
>> timeout,Cisco IOS
>> removes the entry from its state table and the dynamic entry
>> in the
>> ACL(before FAB) and it notifies both parties that the
>> connection has been
>> terminated"
>>
>> In the above I am trying to understood,what kind of
>> notification it provides
>> to both the parties when the timeout as reached ..Is it TCP
>> RST or something
>> different.
>>
>>
>>
>> Kindly let me know
>>
>>
>>
>> Thanks for the help
>>
>>
>>
>> Regards
>>
>> Anantha Subramanian Natarajan
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>> <http://www.ccie.net/>
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sun Sep 06 2009 - 20:19:42 ART