If I'm not mistaken, the router will look at outbound UDP connections and observe for returning traffic that matches/related to the outbound flow. If none is seen within a specified time, then that connection is considered a UDP half-open connection. Being a connectionless protocol, the three-way handshake doesnt apply when considering half-open sessions in the TCP sense.
On Tue, Jan 25, 2011 at 12:34 PM, Anantha Subramanian Natarajan < [email protected]> wrote: > Hi Piotr, > > Thanks for your clarification.Seems Cisco IOS firewall consider UDP > half-open sessions as any UDP communication which is unidirectional.Is that > not right ..I was reading on the command reference on what cisco IOS > firewall treats it as UDP half open session. > > Kindly correct me. > > Thanks > > Regards > Anantha Subramanian Natarajan > > > On Tue, Jan 25, 2011 at 11:48 AM, Piotr Matusiak <[email protected]> wrote: > >> Anantha, >> >> UDP is connectionless so not half-open connections exist. >> >> Regards, >> Piotr >> >> 2011/1/25 Anantha Subramanian Natarajan <[email protected]> >> >>> Hi All, >>> >>> I was going through the Cisco IOS Firewall Feature(CBAC) and understood >>> that,there is a global command "ip inspect tcp max-incomplete host value" to >>> delete half-open sessions,whenever the number of half-open sessions to the >>> specified destination host address rises above a threshold.Am trying to >>> understand a similar command exist for UDP,if not ,any specific technical >>> reason ,why this command wouldn't be possible for UDP. >>> >>> Thanks for the great help >>> >>> Regards >>> Anantha Subramanian Natarajan >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
