From: Paul Cosgrove (paul.cosgrove@heanet.ie)
Date: Sat Jan 19 2008 - 09:56:53 ARST
You have quite a few features on there, is CPU ok? Were all the other
features switched on before you enabled CBAC (NAT, QoS, Fragment
Reassembly, Encryption). Wondering if encryption is causing
fragmentation, and perhaps that could be increasing load on the
fragmentaton reassembly process if the other router/firewall is doing
the same.
Paul.
Paul Cosgrove wrote:
> Hi Eric,
>
> I see that the TCP idle time is set to 12 hours. Would expect you can
> lower that without problems (default is one hour, but try 4). If you
> need 12 hours, e.g. because of a particular software application, then
> perhaps you could combine reflexive ACLs and CBAC, rather than relying
> on CBAC alone for all traffic types.
>
> Would you get much fragmented traffic?
>
> Paul.
>
> Eric Phillips wrote:
>> Hey all,
>>
>> I have having an issue where when CBAC is enabled on the router every
>> fifth
>> or sixth connection attempt is dropped. This manifests itself in users
>> complaining that some websites work, and some don't, then they
>> refresh the
>> page and it works. I'm guessing the issue is there is a limit on the
>> number
>> of active connections, but I have looked through the following DocCD
>> page
>> quite a few times and I am not seeing any limits other than the hash
>> table, of which I have tried increasing to 4096.
>> http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part15/ch05/schcbac.htm#wp1001176
>>
>>
>> We have about 1,000 users running through this firewall, so it is a
>> good bit
>> of traffic. Has anyone seen this happen before or have any
>> suggestions on
>> how I could troubleshoot this further? (Now I know I will be going
>> after my
>> Security CCIE right after my R/S.)
>>
>> Here is a clip of the config:
>>
>> ip inspect max-incomplete high 5000
>> ip inspect max-incomplete low 4800
>> ip inspect one-minute high 5000
>> ip inspect one-minute low 4800
>> ip inspect udp idle-time 60
>> ip inspect hashtable-size 4096
>> ip inspect tcp idle-time 43200
>> ip inspect tcp synwait-time 60
>> ip inspect name CBAC ftp
>> ip inspect name CBAC tcp
>> ip inspect name CBAC udp
>> ip inspect name CBAC h323callsigalt
>> ip inspect name CBAC icmp
>> ip inspect name CBAC h323
>> ip inspect name CBAC pptp
>>
>> interface FastEthernet0/0
>> description Outside
>> ip address 19.1.1.254 255.255.255.0
>> ip access-group ACLin in
>> ip nbar protocol-discovery
>> ip nat outside
>> ip virtual-reassembly
>> ip route-cache flow
>> duplex auto
>> speed auto
>> crypto map crypto_outside
>> service-policy output pmap_Merit_Out
>>
>> interface FastEthernet0/1.1
>> description Inside
>> encapsulation dot1Q 1 native
>> ip address 10.201.3.254 255.255.0.0
>> ip nbar protocol-discovery
>> ip nat inside
>> ip virtual-reassembly
>> ntp broadcast
>>
>>
>>
>> If I remove the CBAC and use reflexive access lists everything works
>> like a
>> charm, but then users can not use FTP across the firewall.
>> Additionally, I
>> am not getting any errors when I look at the "ip inspect audit-trail"
>> output.
>>
>> I don't usually use this board for troubleshooting assistance, and
>> this will
>> hopefully be the last time I do, but Cisco TAC was not able to help,
>> so I am
>> pretty stumped. I would be extremely thankful if anyone could give
>> any sort
>> of assistance.
>>
>> Thanks,
>>
>> Eric
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Feb 01 2008 - 10:38:00 ARST