RE: CBAC

I have always heard of using TCP RSTs instead of FINs. You could always use a
SPAN port and check :)

Thanks,

Jacob Uecker
CCIE# 24481

Development Engineer
CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
Toll Free: 877-654-2243
International: +1-702-968-5100
Skype: skype:ccbootcamp?call
FAX: +1-702-446-8012

YES! We take Cisco Learning Credits!
Training And Remote Racks: http://www.ccbootcamp.com

________________________________

From: nobody_at_groupstudy.com on behalf of Anantha Subramanian Natarajan
Sent: Sun 9/6/2009 7:21 PM
To: Scott M Vermillion; Cisco certification
Subject: Re: CBAC

Thank you Scott M Vermillion for your thoughts and inferences.

Regards
Anantha Subramanian Natarajan

On Sun, Sep 6, 2009 at 9:19 PM, Scott M Vermillion <
scott_ccie_list_at_it-ag.com> wrote:

> My understanding is that it sends TCP RST in both directions, although I
> couldn't come up with a direct quote to offer as proof (plenty of quotes
> that state that as fact where TCP intercept is concerned, but not CBAC
> specifically). A TCP FIN wouldn't be my first guess, as that's the means
of
> closing an *established* socket. What we're dealing with here is half-open
> connections instead. So my vote is on a RST, but I'm not sure how to lab
> this up. A means to generate a TCP SYN followed by nothing else would be
> required. No doubt such a thing exists but I'm just not sure I have it
> readily available on any of my existing lab gear. Anyone else?
>
>
> On Sep 6, 2009, at 5:17 , Andy Reid wrote:
>
> Hi Ananatha,
>>
>> I have never noticed that part of the description before : "it notifies
>> both parties that the connection has been terminated". I can only assume
>> that it sends a FIN packet in both directions after the timeout occurs
>> to fully close the connection, though I have not tested this specific
>> function in my lab, i.e. CBAC sending TCP packets on behalf of hosts.
>> Can anyone else confirm or otherwise explain the action of "ip inspect
>> tcp synwait-time".
>>
>> Thanks, Andy
>>
>> Anantha Subramanian Natarajan wrote:
>>
>>> Hi Andy,
>>>
>>> Thank you very much for the explanation.I am trying to understand
>>> the below highlighted statement,how it notifies the parties that the
>>> connection is terminated,is it by sending some signal (Some thing like
>>> RST or ?) ....Kindly help me to understand
>>>
>>> "This command specifies how long the cisco IOS waits for a TCP session
>>> to be established (to complete three-way handshake).The default is 30
>>> seconds.If the three way handshake is not completed by end of this
>>> timeout,Cisco IOS removes the entry from its state table and the
>>> dynamic entry in the ACL(before FAB) and* it notifies both parties
>>> that the connection has been terminated*"
>>>
>>> Thanks for the help
>>>
>>> Regards
>>> Anantha Subramanian Natarajan
>>>
>>> On Sun, Sep 6, 2009 at 9:34 AM, Andy Reid <ccie_at_reid.it
>>> <mailto:ccie_at_reid.it>> wrote:
>>>
>>> Hi Anantha,
>>>
>>> The command "ip inspect tcp finwait-time" is used when waiting for
>>> the FIN packets (default is 5 seconds).
>>>
>>> The "ip inspect tcp synwait-time" is used to protect against half
>>> open sessions (default is 30 seconds) where the session never
>>> becomes fully established, and therefore FIN packets are never sent.
>>>
>>> regards Andy
>>>
>>> Anantha Subramanian Natarajan wrote:
>>>
>>> Hi All,
>>>
>>> I was going through CBAC and trying to understand the
>>> different global
>>> settings on the same.One of that was "ip inspect tcp
>>> synwait-time".The way
>>> in which understood was as stated below(Actually Just pasting the
>>> statements)
>>>
>>>
>>> "This command specifies how long the cisco IOS waits for a TCP
>>> session to be
>>> established (to complete three-way handshake).The default is
>>> 30 seconds.If
>>> the three way handshake is not completed by end of this
>>> timeout,Cisco IOS
>>> removes the entry from its state table and the dynamic entry
>>> in the
>>> ACL(before FAB) and it notifies both parties that the
>>> connection has been
>>> terminated"
>>>
>>> In the above I am trying to understood,what kind of
>>> notification it provides
>>> to both the parties when the timeout as reached ..Is it TCP
>>> RST or something
>>> different.
>>>
>>>
>>>
>>> Kindly let me know
>>>
>>>
>>>
>>> Thanks for the help
>>>
>>>
>>>
>>> Regards
>>>
>>> Anantha Subramanian Natarajan
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
<http://www.ccie.net/>
>>> <http://www.ccie.net/>
>>>
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>
>>
>> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
Received on Sun Sep 06 2009 - 20:07:58 ART