cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1296
Views
0
Helpful
2
Replies

Recommended embryonic connection timeout

Diego Zuniga
Level 1
Level 1

Hi,

I am trying to set up the proper value for a embryonic connection timeout on a Cisco PIX running 7.2(1). So far I have read some documents that describe how to set up the value but nothing concrete about what factors must be considered in order to set up this value.

According to this URL:

https://supportforums.cisco.com/thread/224711

The FWSM was using a default embryonic connection timeout value of 5 secs (2.2 code and earlier) but on newer codes is using 20 secs as default. The point is, what did Cisco consider to use this value?

According to this URL:

https://supportforums.cisco.com/thread/2032754

They say the value is relative to the servers' OS, for example Windows has a timeout value of 21 secs, but some people consider 21 secs is too much time for an attacker to create a SYN Flood attack and successfully affect the servers behind the ASA/PIX.

I personally agree with the fact that is 21 secs is too much time so I accessed my websites from an external location using very low connections (128Kbps download/32Kbps upload) and fully loaded (about 90% of BW downloading a file) and I noticed the value for the handshake (SYN, SYN/ACK, ACK) was around 3 secs using wireshark captures. So I consider the value should be around 5 secs.

On the ASA config guide, Cisco defaults this value to 30 secs, on the ACE 4700 appliance config guide, Cisco defaults this value to 5 secs

http://es.scribd.com/doc/51349206/424/config-parammap-conn-set-tcp-timeout

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_connlimits.html#wp1080774

Some Cisco articles suggest 45 secs for the timeout value.

(http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml)

My main concern is, am I missing something? Based on wireshark captures I got 5 secs, but this value is too much lower than the Cisco defaults for ASA and FWSM. Besides, some articles suggest 45 secs.

I am not sure if the tests I have done so far will be enough or I should consider additional elements in my formula to get a proper value, if someone could suggest me additional elements I can test to adjust my formula I will really appreciate it.

Thanks for your time and opinions

2 Replies 2

Gustavo Medina
Cisco Employee
Cisco Employee

Hello Diego,

Let me jump into this one as per Rick Troyo request hehe

First I'll start with timeout change on the FWSM, this was due to CSCeg02866

Cisco changed this thinking on oversubscribed links for example, this is because the timer starts  when the device sees the first SYN and is not reset for the  retransmitted SYN and as you can imagine there are many reasons why a packet can be dropped thus the SYN must be retransmitted that's just how TCP works but like I said the timer will be already counting down. If the SYN+ACK comes after the timeout has  expired, the connection is removed an the packet is dropped.

Bottom line in your formula you are not taking into consideration delays or network problems you might find over "X" environment, your tests show 5 seconds will be good but what if you go to another country and try to access the same server? what if you have to go through a VPN? what if your ISP is having some sort of connectivity problems?

Hope this helps...

Thank u very much, useful elements for my formula...

Thanks again

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: