Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CSS SYN ACK question

Hi,

What is the value/time that a CSS resets a connection that is not fully established.

im seeing the following

Client >

CSS <

SYN >

ACK <

ACK <

ACK <

ACK <

ACK <

RST <

RST comes from the CSS

8 REPLIES
Cisco Employee

Re: CSS SYN ACK question

the DoS feature will kick and RST the connection after 16 seconds.

A 'show dos' will tell you if such a connection was detected.

This feature is not configurable.

Gilles.

New Member

Re: CSS SYN ACK question

Hi,

Just noticed from my trace, that client is using the same source port as a previous connection and the servers 2msl timer hasn't exceeded.

Is the 16 seconds the correct value

Cheers

Cisco Employee

Re: CSS SYN ACK question

yes, 16 seconds is correct.

G.

New Member

Re: CSS SYN ACK question

Thanks,

So if the server doesn't send a syn/ack within 16 seconds, the CSS drops the flow. Is this time configurable ?

Cheers

Cisco Employee

Re: CSS SYN ACK question

the CSS wants to see a complete 3-way handshake within the 16sec or it considers this connection a dos attack.

As mentioned earlier, this feature is totally not configurable.

You can't disable it or modify any parameters including the time.

Gilles.

New Member

Re: CSS SYN ACK question

Hi Gilles

Thanks for the info, Apologies for more questions. From my trace I see 5 SYN packets with a source port that should be in the time_wait state. I presume the dos feature should kick in 16 seconds after the first SYN is recived but Im not seeing the RST originate from the CSS until 3 minutes. Any clues to why ?

Client > Server

00:03:35 SYN >

00:03:35 ACK <

00:03:41 SYN >

00:03:41 ACK <

00:03:47 SYN >

00:03:47 ACK <

00:03:59 SYN >

00:03:59 ACK <

00:04:23 SYN >

00:04:23 ACK >

00:06:24 RST >

Thanks in advance

Cisco Employee

Re: CSS SYN ACK question

was the trace captured on the server side or the client side ?

If you do a 'show dos' do you see this connection counted as a dos attack or not ?

Since the server responds with an ACK to the SYN, the CSS could have the connection in the established state as well and the RST is coming from the client giving up the connection.

Gilles.

New Member

Re: CSS SYN ACK question

Gilles,

I haven't got access to the CSS at the moment, I will try and gain access and have a look. The trace is taken from the server side of the CSS, The client doesn't send the RST as the TTL is 127 which indicates it originated from the CSS. I do not see any SYN/ACKS being returned from the server only ACKS as the server believes this is still an active session.

294
Views
0
Helpful
8
Replies