04-10-2012 11:31 AM - edited 03-11-2019 03:52 PM
Hi,
I am trying to set up the proper value for a embryonic connection timeout on a Cisco PIX running 7.2(1). So far I have read some documents that describe how to set up the value but nothing concrete about what factors must be considered in order to set up this value.
According to this URL:
https://supportforums.cisco.com/thread/224711
The FWSM was using a default embryonic connection timeout value of 5 secs (2.2 code and earlier) but on newer codes is using 20 secs as default. The point is, what did Cisco consider to use this value?
According to this URL:
https://supportforums.cisco.com/thread/2032754
They say the value is relative to the servers' OS, for example Windows has a timeout value of 21 secs, but some people consider 21 secs is too much time for an attacker to create a SYN Flood attack and successfully affect the servers behind the ASA/PIX.
I personally agree with the fact that is 21 secs is too much time so I accessed my websites from an external location using very low connections (128Kbps download/32Kbps upload) and fully loaded (about 90% of BW downloading a file) and I noticed the value for the handshake (SYN, SYN/ACK, ACK) was around 3 secs using wireshark captures. So I consider the value should be around 5 secs.
On the ASA config guide, Cisco defaults this value to 30 secs, on the ACE 4700 appliance config guide, Cisco defaults this value to 5 secs
http://es.scribd.com/doc/51349206/424/config-parammap-conn-set-tcp-timeout
Some Cisco articles suggest 45 secs for the timeout value.
(http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml)
My main concern is, am I missing something? Based on wireshark captures I got 5 secs, but this value is too much lower than the Cisco defaults for ASA and FWSM. Besides, some articles suggest 45 secs.
I am not sure if the tests I have done so far will be enough or I should consider additional elements in my formula to get a proper value, if someone could suggest me additional elements I can test to adjust my formula I will really appreciate it.
Thanks for your time and opinions
04-13-2012 03:48 PM
Hello Diego,
Let me jump into this one as per Rick Troyo request hehe
First I'll start with timeout change on the FWSM, this was due to CSCeg02866
Cisco changed this thinking on oversubscribed links for example, this is because the timer starts when the device sees the first SYN and is not reset for the retransmitted SYN and as you can imagine there are many reasons why a packet can be dropped thus the SYN must be retransmitted that's just how TCP works but like I said the timer will be already counting down. If the SYN+ACK comes after the timeout has expired, the connection is removed an the packet is dropped.
Bottom line in your formula you are not taking into consideration delays or network problems you might find over "X" environment, your tests show 5 seconds will be good but what if you go to another country and try to access the same server? what if you have to go through a VPN? what if your ISP is having some sort of connectivity problems?
Hope this helps...
04-16-2012 11:01 AM
Thank u very much, useful elements for my formula...
Thanks again
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: