I am trying to set up the proper value for a embryonic connection timeout on a Cisco PIX running 7.2(1). So far I have read some documents that describe how to set up the value but nothing concrete about what factors must be considered in order to set up this value.
The FWSM was using a default embryonic connection timeout value of 5 secs (2.2 code and earlier) but on newer codes is using 20 secs as default. The point is, what did Cisco consider to use this value?
They say the value is relative to the servers' OS, for example Windows has a timeout value of 21 secs, but some people consider 21 secs is too much time for an attacker to create a SYN Flood attack and successfully affect the servers behind the ASA/PIX.
I personally agree with the fact that is 21 secs is too much time so I accessed my websites from an external location using very low connections (128Kbps download/32Kbps upload) and fully loaded (about 90% of BW downloading a file) and I noticed the value for the handshake (SYN, SYN/ACK, ACK) was around 3 secs using wireshark captures. So I consider the value should be around 5 secs.
On the ASA config guide, Cisco defaults this value to 30 secs, on the ACE 4700 appliance config guide, Cisco defaults this value to 5 secs
My main concern is, am I missing something? Based on wireshark captures I got 5 secs, but this value is too much lower than the Cisco defaults for ASA and FWSM. Besides, some articles suggest 45 secs.
I am not sure if the tests I have done so far will be enough or I should consider additional elements in my formula to get a proper value, if someone could suggest me additional elements I can test to adjust my formula I will really appreciate it.
Let me jump into this one as per Rick Troyo request hehe
First I'll start with timeout change on the FWSM, this was due to CSCeg02866
Cisco changed this thinking on oversubscribed links for example, this is because the timer starts when the device sees the first SYN and is not reset for the retransmitted SYN and as you can imagine there are many reasons why a packet can be dropped thus the SYN must be retransmitted that's just how TCP works but like I said the timer will be already counting down. If the SYN+ACK comes after the timeout has expired, the connection is removed an the packet is dropped.
Bottom line in your formula you are not taking into consideration delays or network problems you might find over "X" environment, your tests show 5 seconds will be good but what if you go to another country and try to access the same server? what if you have to go through a VPN? what if your ISP is having some sort of connectivity problems?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :