From: Steve (steve.ccie@googlemail.com)
Date: Sat Jan 19 2008 - 14:19:58 ARST
Hi Eric,
I don't see you have applied the CBAC config to any of the interfaces
(?). Therefore, given your config below, there is no CBAC running.
You need to add the command "ip inspect CBAC [in|out]" to one of the
interfaces - which interface depends on several factors based on the
traffic flow.
This gets a little tricky so instead of me leading you up the path
incorrectly, check out the config guide for the IOS and the various
examples on CCO.
HTH,
Steve
On 18 Jan 2008, at 15:52, Eric Phillips wrote:
> Hey all,
>
> I have having an issue where when CBAC is enabled on the router
> every fifth
> or sixth connection attempt is dropped. This manifests itself in
> users
> complaining that some websites work, and some don't, then they
> refresh the
> page and it works. I'm guessing the issue is there is a limit on
> the number
> of active connections, but I have looked through the following
> DocCD page
> quite a few times and I am not seeing any limits other than the hash
> table, of which I have tried increasing to 4096.
> http://www.cisco.com/univercd/cc/td/doc/product/software/
> ios124/124cg/hsec_c/part15/ch05/schcbac.htm#wp1001176
>
> We have about 1,000 users running through this firewall, so it is a
> good bit
> of traffic. Has anyone seen this happen before or have any
> suggestions on
> how I could troubleshoot this further? (Now I know I will be going
> after my
> Security CCIE right after my R/S.)
>
> Here is a clip of the config:
>
> ip inspect max-incomplete high 5000
> ip inspect max-incomplete low 4800
> ip inspect one-minute high 5000
> ip inspect one-minute low 4800
> ip inspect udp idle-time 60
> ip inspect hashtable-size 4096
> ip inspect tcp idle-time 43200
> ip inspect tcp synwait-time 60
> ip inspect name CBAC ftp
> ip inspect name CBAC tcp
> ip inspect name CBAC udp
> ip inspect name CBAC h323callsigalt
> ip inspect name CBAC icmp
> ip inspect name CBAC h323
> ip inspect name CBAC pptp
>
> interface FastEthernet0/0
> description Outside
> ip address 19.1.1.254 255.255.255.0
> ip access-group ACLin in
> ip nbar protocol-discovery
> ip nat outside
> ip virtual-reassembly
> ip route-cache flow
> duplex auto
> speed auto
> crypto map crypto_outside
> service-policy output pmap_Merit_Out
>
> interface FastEthernet0/1.1
> description Inside
> encapsulation dot1Q 1 native
> ip address 10.201.3.254 255.255.0.0
> ip nbar protocol-discovery
> ip nat inside
> ip virtual-reassembly
> ntp broadcast
>
>
>
> If I remove the CBAC and use reflexive access lists everything
> works like a
> charm, but then users can not use FTP across the firewall.
> Additionally, I
> am not getting any errors when I look at the "ip inspect audit-trail"
> output.
>
> I don't usually use this board for troubleshooting assistance, and
> this will
> hopefully be the last time I do, but Cisco TAC was not able to
> help, so I am
> pretty stumped. I would be extremely thankful if anyone could give
> any sort
> of assistance.
>
> Thanks,
>
> Eric
>
> ______________________________________________________________________
> _
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Feb 01 2008 - 10:38:00 ARST