beautypg.com

Setting syn-ack-window-size, Setting reset-using-client-mac, Retransmitting tcp syns – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual

Page 89

background image

Brocade Virtual ADX Security Guide

77

53-1003250-01

Configuring Syn-Proxy

5

Setting SYN-Ack-Window-Size

To globally set the TCP window size that the Brocade Virtual ADX uses on a SYN-ACK packet sent
back to a client with SYN-Cookie, use the following command:

Virtual ADX(config)#server syn-proxy-syn-ack-window-size 5000

Syntax: [no] server syn-proxy-syn-ack-window-size value

The value variable is the window size. The range from 1 to 65535. The default is 8192.

This command works with a syn-proxy configuration. By having syn-ack-window-size configured, the
window size of the SYN-ACK packet sent from Brocade Virtual ADX to client will have the configured
value.

This feature can be used to prevent the client from sending HTTP-Gets before the server side 3-way
handshake is established.

Setting Reset-Using-Client-MAC

NOTE

In this rare corner-case, the reset-using-client-mac command is needed to send a reset to the client.

To globally send a Reset to the client using the client MAC address on the interfaces where
Syn-Proxy is enabled, use the following command:

Virtual ADX(config)#ip tcp syn-proxy reset-using-client-mac

Syntax: [no] ip tcp syn-proxy reset-using-client-mac

This command is useful only when the client cannot be reached using the Brocade Virtual ADX
default gateway and the default gateway of the server is different than the default gateway of the
Brocade Virtual ADX.

Retransmitting TCP SYNs

When Syn-Proxy is enabled, the Brocade Virtual ADX completes the TCP three-way handshake with
a connecting client prior to forwarding packets between the client and the destination server. This
action allows the Brocade Virtual ADX to forward to the server only packets associated with an
established connection.

After completing the three-way handshake with the client, the Brocade Virtual ADX sends a SYN to
the destination server to attempt to establish a connection with the server. If the Brocade Virtual
ADX did not receive an ACK from the destination server within 8 seconds, the Brocade Virtual ADX
sent a TCP RESET to the client.

The Brocade Virtual ADX performs retransmissions in 3-second intervals. If the Brocade Virtual ADX
does not receive an ACK from the destination server, it retransmits the SYN. After sending a SYN to
the destination server, if the Brocade Virtual ADX does not receive an ACK from the server after
three seconds, the Brocade Virtual ADX retransmits the SYN to the server. If the SYN is still
unacknowledged after three more seconds, the Brocade Virtual ADX retransmits the SYN to the
server again. If after three retransmission attempts, the destination server still has not responded
with an ACK, the Brocade Virtual ADX sends a TCP RESET to the client to abort the connection.

See also other documents in the category Brocade Computer Accessories: