2ServerIron ADX Security Guide
53-1002440-03
Granular application of syn-proxy feature
1
ServerIron may accept the ACK during 33 seconds to 64 seconds due to the syn-proxy
algorithm, but it does not accept the ACK after 64 seconds.
If you enter a value for the ip tcp syn-proxy <value> command from the CLI or upgrade from an
older release such as 09.4.x to 09.5.2a with the ip tcp syn-proxy <value> command in the
config file, you receive the following warning message.
Warning: The value 10 is being ignored.
Default ACK validate time of 32 seconds will be used.
To change the MSL value, issue 'server msl <value>'.
Granular application of syn-proxy feature
This feature applies to ServerIron ADX Syn-Proxy. When this feature is enabled, traffic destined to a
virtual server IP is denied if the destination port is not defined under any of the virtual server
definitions.
This feature prevents ServerIron ADX from responding with TCP SYN-ACK to TCP SYN for ports not
defined under VIP.
Use the following command to validate traffic against a configured virtual port.
ServerIronADX(config)# server syn-cookie-check-vport
Syntax: [no] server syn-cookie-check-vport
Syn-def

Introduction

Use SYN-def (also known as SYN-Defense) to protect the hosts behind the ServerIron (not the
ServerIron itself) by the ServerIron to complete the TCP three-way handshake on behalf of a
connecting client. There is no SYN-cookie functionality with SYN-def.
NOTE
SYN-Defense is recommened for only where Direct Server Return (DSR) is used. DSR is not
supported with SYN-proxy and is supported with SYN-def. For non DSR scenarios, use Syn-Proxy only.

show server traffic

Use the show server traffic command to display information about the number of times the
incomplete connection threshold was reached.