From: v.shekhar@yahoo.com
Date: Sat Jan 19 2008 - 11:43:47 ARST
How do u know that every 5th or the 6th connection attempt is dropped? Is this 5th or 6th connection from the perspective of a user?
You said that there are around 1000 users and I can see that the Max Incomplete high is 5000, which means that theoretically each user has can have 5 embryonic TCP connections before the firewall goes to an aggressive mode and starts dropping TCP connections.
How about increasing it to a higher number and see.
I hope you are looking at the syslog/console debug messages.
Thanks,
-sHekHar.
CCIE#17589/CISSP/RHCE.
----- Original Message ----
From: Eric Phillips <eric@phillips.tc>
To: "ccielab@groupstudy.com" <ccielab@groupstudy.com>
Sent: Friday, January 18, 2008 9:22:30 PM
Subject: OT: CBAC dropping every 5th connection
Hey all,
I have having an issue where when CBAC is enabled on the router every
fifth
or sixth connection attempt is dropped. This manifests itself in users
complaining that some websites work, and some don't, then they refresh
the
page and it works. I'm guessing the issue is there is a limit on the
number
of active connections, but I have looked through the following DocCD
page
quite a few times and I am not seeing any limits other than the hash
table, of which I have tried increasing to 4096.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part15/ch05/schcbac.htm#wp1001176
We have about 1,000 users running through this firewall, so it is a
good bit
of traffic. Has anyone seen this happen before or have any suggestions
on
how I could troubleshoot this further? (Now I know I will be going
after my
Security CCIE right after my R/S.)
Here is a clip of the config:
ip inspect max-incomplete high 5000
ip inspect max-incomplete low 4800
ip inspect one-minute high 5000
ip inspect one-minute low 4800
ip inspect udp idle-time 60
ip inspect hashtable-size 4096
ip inspect tcp idle-time 43200
ip inspect tcp synwait-time 60
ip inspect name CBAC ftp
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC h323callsigalt
ip inspect name CBAC icmp
ip inspect name CBAC h323
ip inspect name CBAC pptp
interface FastEthernet0/0
description Outside
ip address 19.1.1.254 255.255.255.0
ip access-group ACLin in
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map crypto_outside
service-policy output pmap_Merit_Out
interface FastEthernet0/1.1
description Inside
encapsulation dot1Q 1 native
ip address 10.201.3.254 255.255.0.0
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
ntp broadcast
If I remove the CBAC and use reflexive access lists everything works
like a
charm, but then users can not use FTP across the firewall.
Additionally, I
am not getting any errors when I look at the "ip inspect audit-trail"
output.
I don't usually use this board for troubleshooting assistance, and this
will
hopefully be the last time I do, but Cisco TAC was not able to help, so
I am
pretty stumped. I would be extremely thankful if anyone could give any
sort
of assistance.
Thanks,
Eric
This archive was generated by hypermail 2.1.4 : Fri Feb 01 2008 - 10:38:00 ARST