From: Christian Zeng (christian@zengl.net)
Date: Sat Jan 19 2008 - 09:55:01 ARST
Hi,
* Eric Phillips wrote:
> I have having an issue where when CBAC is enabled on the router every fifth
> or sixth connection attempt is dropped. This manifests itself in users
> complaining that some websites work, and some don't, then they refresh the
> page and it works. I'm guessing the issue is there is a limit on the number
> of active connections, but I have looked through the following DocCD page
> quite a few times and I am not seeing any limits other than the hash
> table, of which I have tried increasing to 4096.
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part15/ch05/schcbac.htm#wp1001176
You didn't specify the IOS you are using and how you exactly see the
connections drop on the router. The config you posted doesn't have the
CBAC inspect rule applied to one of the interfaces (paste problem?).
The pattern you describe could fit a problem CBAC had in pre-12.4
releases with tcp window scaling, although this is for a single tcp
session only, not for every n-th, non-tcp flow. The result is that you
would see packets dropped for a tcp connection that is permitted by the
ACL/CBAC configuration, when the connection scales the window beyond the
limits CBAC wants. Result is poor performance for tcp sessions. See
CSCef65365 for details.
Could be also other issues as well (pmtud/mss problems or the policy map
you have applied); I guess you would get a better picture when looking
at other parameters like cpu load, memeory consumption and turning on
debug ip inspect (tcp) during a not so busy hour.
Christian
This archive was generated by hypermail 2.1.4 : Fri Feb 01 2008 - 10:38:00 ARST