TCP Intercept

Could someone please help me understand what the difference is between TCP intercept in aggressive mode versus watch mode? It appears that watch-mode also manipulates traffic which seems counter-intuitive to the wording.




  • JoeMJoeM ✭✭✭

    Short summary is:


    watch mode -- just monitors (passively watches) the tcp connection attempts -- for max connections etc.  This can be acted upon, by configuring parameters (thresholds).

    intercept mode -- actually proxies (intercepts) the tcp handshake -- and then knits the connection back together after the client/server successfully complete the handshake.


    EDIT:   because you are using the term "aggressive mode",  I needed to double-check.     I do not believe there is an "aggressive mode".  Only "intercept mode" (default)  and "watch mode".

    Here is a Cisco doc.   It mentions "aggressive" as a term for thresholds.

  • My understanding is Tcp interface Intercept can be configured to operate in either Intercept mode or watch mode. The Intercept mode again can act in aggressive mode or normal mode, depending on whether certain predefined thresholds have been crossed.

  • Correction: Checked the command reference again. It looks aggressive mode applies to watch mode too.

  • Thank you folks. That help clears some things up.

    Another question - Is it possible for 'watch mode' to stop half-open TCP connections?


  • JoeMJoeM ✭✭✭

    Thank you folks. That help clears some things up.

    Another question - Is it possible for 'watch mode' to stop half-open TCP connections?


    Yes.   Check out that Cisco Doc I linked.    It gives the basic options for it.


  • JoeMJoeM ✭✭✭

    Hey Mike,

    Did that doc help?

    Also workbook-1   11.13 - .14   handles this topic for both modes.    I just opened that pdf (security section.11), and funny thing,  my pdf opened right to those specific labs.    I must have been reviewing it last week.

  • (from my memory) the way I understand it is that both modes can perform actions, but the main difference is that intercept mode actually terminates the connections (proxies), but watch mode keeps a record of the connections but lets them pass through.  So if a server was under an attempted syn flood attack, intercept mode would mean that the server never really gets hit.  Watch mode would mean that the server gets hit until the threshold is reached, at which point the router steps in and performs the action, such as tcp reset.

  • BlueBlueOrange just jogged my memory.

    I'll try and paraphrase a multiple CCIE so please forgive any inaccuracies. One of the explanations that Brian M uses in the ATC videos is that there are two places that a DoS attack can terminate. They are:

    1. The external router with Intercept mode. This DoS attack may well be successful due to the router terminating the sessions and also having an inferior processor compared to a server. Also, it might affect the whole site if it runs out of steam before it has closed enough half open sessions. Traffic will never directly bother the server though.


    2. The inside server with TCP watch mode. This DoS attack is less likely to succeed when compared to the Intercept mode as usually the server has a much more powerful CPU when compared to the router and it may well hold up until the external router can reset the half open connections as the timers expire.

  • yeah, well you should do the exercise 6.2 in WB II lab 3... if it is not why you're asking this question.

    This task is about tcp intercept watch mode  for half open connections.

Sign In or Register to comment.