Configure TCP Keepalive and TCP Timestamp

About this task

TCP Keepalive configures the system TCP keepalive interval, probes, and time.

TCP Timestamp option (RFC 1323) allows TCP to determine the order in which the packets are sent. The TCP Timestamp provides protection against Wrapped Seqence numbers. However, it is possible to calculate the system uptime when the Timestamp option is enabled. The analysis of timestamp behaviour can provide information on the system identity, which poses security threats and can cause a potential attack.

The TCP Timestamp option is enabled by default. You can disable the timestamp to avoid any security risks.
Note

Note

The configuration will be applied only to the new TCP connections and the existing connections are not affected. You must perform a config save and reboot to apply the new configuration to all TCP connections.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Configure the TCP keepalive interval:

    sys control tcp-keepalive-interval <1-3600>

  3. Configure the TCP keepalive probes:

    sys control tcp-keepalive-probes <1-50>

  4. Configure the TCP keepalive time:

    sys control tcp-keepalive-time <5-65535>

  5. Enable the TCP Timestamp:

    sys control tcp-timestamp

  6. Disable the TCP Timestamp:

    no sys control tcp-timestamp

  7. View the status of TCP Timestamp:

    show sys control

Examples

Configure the TCP keepalive to interval 60 seconds, with 15 probes, and 120 seconds time:
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#sys control tcp-keepalive-interval 60
Switch:1(config)#sys control tcp-keepalive-probes 15
Switch:1(config)#sys control tcp-keepalive-time 120

Disable TCP Timestamp:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#no sys control tcp-timestamp

Warning: Existing TCP connections won't be affected.
A config save and reboot is required to apply this configuration for all TCP connections

Display the status of the TCP Timestamp:

Switch:1>show sys control
==========================================================================================
                            System Control Settings
==========================================================================================
                 tcp-timestamp : disable
            tcp-keepalive-time : 120
        tcp-keepalive-interval : 60
          tcp-keepalive-probes : 15
           mac-move-protection : on

Variable Definitions

The following table defines parameters for the sys control command.

Variable

Value

tcp-keepalive-interval <1-3600>

Note:

Exception: Not supported on VSP 8600 Series

Configure the TCP keepalive interval in seconds. The default is 10.

tcp-keepalive-probes <1-50>
Note:

Exception: Not supported on VSP 8600 Series

Configure the TCP keepalive probes. The default is 5.

tcp-keepalive-time <5-65535>

Note:

Exception: Not supported on VSP 8600 Series

Configure the TCP keepalive time in seconds. The default is 60.

tcp-timestamp

Enable or disable tcp-timestamp.
Note:

The timestamp is enabled by default. The system displays the following warning message when a new configuration is applied:

Warning: Existing TCP connections won't be affected. A config save and reboot is required to apply this configuration for all TCP connections.