Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
32193
Views
45
Helpful
4
Replies

Service TCP-Keepalives-IN/OUT

Zali
Level 1
Level 1

‎10-03-2017 10:19 AM - edited ‎03-10-2019 12:53 AM

Hi,

I need to know if Service TCP-Keepalives-IN and OUT has any production impact. I am planning to apply this feature for incoming and outgoing TCP connections on my edge routers in a production environment.

As these are the key routers and I am very much concern about the impact of executing these commands.

 

Thanks,

Zali

4 people had this problem
Labels:
4 Replies 4

Michael Hubbard
Level 1
Level 1

‎11-12-2017 08:19 PM

Hello Zali,
There will not be any impact on production. These two commands are best practices and only come into play if you have a communications problem between your SSH/telnet client and the router. This Cisco document has a good example:
https://www.cisco.com/c/en/us/support/docs/dial-access/asynchronous-connections/14957-tcpkeepalive.html

I hope this makes you feel comfortable deploying the commands!

Here are a couple others I use:
no service pad
no service finger
no ip source-route
no ip gratuitous-arps
no service dhcp (only on devices that don't offer DHCP relay or addresses)
no ip finger
no tcp-small-servers (IOS 11.2 and older)
no udp-small-servers (IOS 11.2 and older)

!logging timestamps helps you correlate events across network devices
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service sequence-numbers
service counters max age 5
service password-encryption
service linenumber
service counters max age 5

Here is a good Cisco tutorial on security. Ironically, it requires Flash to view!
https://www.cisco.com/c/dam/en_us/training-events/le31/le46/cln/qlm/Learning_Center/Security/Hardening_Cisco_IOS_Devices/player.html

Here is a Cisco webpage on hardening devices
https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

jayage
Level 1
Level 1

‎09-11-2020 12:19 AM

Is it recommended to set this on layer 3 switches with ssh enabled also?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to jayage

‎09-17-2020 12:03 PM

I believe that it is recommended on any layer 3 network device, especially ones with SSH or telnet in use.

HTH

Rick
0 Helpful

Michael Hubbard
Level 1
Level 1

‎09-18-2020 04:32 PM

Hello jayage,

I thought I replied back on 9/11 but I don't see it online.

Yes, this setting is a Cisco best practice. It will not interrupt production.

I recently did a blog post on disabling weak crypto ciphers on Cisco switches. I recommend doing that also, especially you will have a PCI_DSS or other security audit on the switch.

https://mwhubbard.blogspot.com/2020/06/disable-weak-sshssl-ciphers-in-cisco-ios.html 

Customers Also Viewed These Support Documents