You are here: Home / Cisco / IOS: Setting the TCP timeout on IOS

IOS: Setting the TCP Timeout on IOS

14th August 2008 by 2 Comments

IOS Manual

To set a period of time the Cisco IOS software waits while attempting to establish a TCP connection before it times out, use the ip tcp synwait-time command in global configuration mode. To restore the default time, use the no form of this command.

ip tcp synwait-time seconds

no ip tcp synwait-time seconds

So this is global timer that affects every TCP session that the control plane on your router creates. Now that could have some far reaching impacts on a live networks.

Negative Impacts

Now that we know what the command does, what are the possible negative impacts of this command ? The default TCP timeout is thirty seconds and shortening this to five seconds could impact any TCP connection. Consider routing protocols such as BGP, Multicast routing and so on. For example, allowing only five seconds for a three way handshake on a BGP connection just might be a problem in certain SP networks.

In slow networks such as satellite, low speed async or even frame relay, for five seconds to be too short under certain conditions. You should identify this and change the timer to perhaps ten or fifteen seconds. But for most networks today, if you can’t get a three way handshake in five seconds then its not going to work.

Consider an BGP neighbour connection that uses TCP, if the connection cannot be established within the configured interval, the connection will be terminated. Its just possible that a heavily loaded BGP peer, using authentication might need more than five seconds so you should keep this in mind.

Why you want this configured ?

By default, when you telnet to another device that doesn’t respond, it takes thirty seconds for the connection to timeout. All that time you are sitting waiting for something to happen, or send the break sequence (ctrl-shift-6, x) to get it to end.

By setting the interval to five seconds, you save yourself mindlessly looking at the IOS console thus improving your sanity.

Other posts in the series

  1. Cisco IOS CLI Regex: sh ip bgp in
  2. IOS CLI Tip: More accurate pipe commands
  3. Cisco Nexus NXOS and Fixing broken “switchto” syntax with alias
  4. show ip eigrp topology all
  5. Cisco IOS CLI Shortcuts
  6. The poor man's IOS Traffic Generator
  7. IOS: "terminal monitor" on, off - logging to your terminal
  8. IOS: Console, Terminal, Monitor, VTY - what is what ?
  9. IOS: Clearing an interface configuration
  10. IOS: Setting Terminal Window Length
  11. IOS CLI: show run linenum
  12. IOS: Setting the TCP timeout on IOS (This post)
  13. IOS: enable and .... disable ?
  14. IOS: Reverse SSH console access - Part 2
  15. IOS:Open Source Lab DNS and IP addressing
  16. IOS: Reverse SSH console access
  17. ip tcp timestamp
  18. Cisco ASA and IOS command tip - test aaa-server
Filed Under: Cisco Tagged With: , , ,
About Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus

  • http://blog.packetfault.org pello

    Hello Greg,

    In addition to the negative impacts you said. I’ll add the specific bug case where the feature of CRL checking until 12.4(20)T is affected by the synwait timer.

    Indeed, if the server hosting the CRL is temporarily down then you have to wait the synwait time before the IPSEC certificate check continue his work.

    See you
    Francois

  • Pingback: Three ways to fix the Cisco IOS Translating “xyz” Domain Server