Can the PIX do delayed binding--i.e., can it handle the 3-way handshake on behalf of a server that's reached via a static?
I'm specifically asking about 6.3(5), though if it's only possible with
7.x that'd be worth knowing as well.- John
Yes. Set the embryonic limit in the static command to one.
Right, thanks...I'd forgotten that the embryonic limit behavior changed in PIX 5.x.
Unfortunately that "1" is toxic in the situation in which I wanted to do this: namely, having the PIX intercept all TCP connections for an Alteon load balancer which has a broken TCP stack (it refuses to retransmit packets during the 3-way handshake, resulting in connection timeouts for client hosts). Setting the embryonic connection limit to 1 means that some number of TCP connections--a significant percentage, in fact--continue to be passed through to the Alteon by the PIX, so we're still seeing timeouts.
It's too bad that activating TCP intercept for a static relies on this overloading of the embryonic limit rather than using a separate option on the static command (like "norandomseq" or "dns").
- John
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.