CSS SYN ACK question

Unanswered Question
Jan 16th, 2008
User Badges:


What is the value/time that a CSS resets a connection that is not fully established.

im seeing the following

Client >









RST comes from the CSS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Wed, 01/16/2008 - 06:53
User Badges:
  • Cisco Employee,

the DoS feature will kick and RST the connection after 16 seconds.

A 'show dos' will tell you if such a connection was detected.

This feature is not configurable.


stephen.baugh Wed, 01/16/2008 - 06:58
User Badges:


Just noticed from my trace, that client is using the same source port as a previous connection and the servers 2msl timer hasn't exceeded.

Is the 16 seconds the correct value


stephen.baugh Wed, 01/16/2008 - 07:51
User Badges:


So if the server doesn't send a syn/ack within 16 seconds, the CSS drops the flow. Is this time configurable ?


Gilles Dufour Wed, 01/16/2008 - 08:14
User Badges:
  • Cisco Employee,

the CSS wants to see a complete 3-way handshake within the 16sec or it considers this connection a dos attack.

As mentioned earlier, this feature is totally not configurable.

You can't disable it or modify any parameters including the time.


stephen.baugh Thu, 01/17/2008 - 00:40
User Badges:

Hi Gilles

Thanks for the info, Apologies for more questions. From my trace I see 5 SYN packets with a source port that should be in the time_wait state. I presume the dos feature should kick in 16 seconds after the first SYN is recived but Im not seeing the RST originate from the CSS until 3 minutes. Any clues to why ?

Client > Server

00:03:35 SYN >

00:03:35 ACK <

00:03:41 SYN >

00:03:41 ACK <

00:03:47 SYN >

00:03:47 ACK <

00:03:59 SYN >

00:03:59 ACK <

00:04:23 SYN >

00:04:23 ACK >

00:06:24 RST >

Thanks in advance

Gilles Dufour Thu, 01/17/2008 - 01:05
User Badges:
  • Cisco Employee,

was the trace captured on the server side or the client side ?

If you do a 'show dos' do you see this connection counted as a dos attack or not ?

Since the server responds with an ACK to the SYN, the CSS could have the connection in the established state as well and the RST is coming from the client giving up the connection.


stephen.baugh Thu, 01/17/2008 - 01:16
User Badges:


I haven't got access to the CSS at the moment, I will try and gain access and have a look. The trace is taken from the server side of the CSS, The client doesn't send the RST as the TTL is 127 which indicates it originated from the CSS. I do not see any SYN/ACKS being returned from the server only ACKS as the server believes this is still an active session.


This Discussion