Slow web connections with ip inspect (CBAC) turned on

Unanswered Question
Jul 8th, 2009

Hey guys,

I have seen this a couple of times on two different routers. One is a 3745 and another a 1811 running 12.4(15)T4 and 12.4(6)T11, respectively.

When we have IOS firewall running (either IP inspect or ZFW), we will experience intermittent slow HTTP connections.

Symptoms include page timeouts, CSS not loading and just overall slow performance. Disabling the inspection cures the issues.

Has anyone ever seen this before? Any ideas? Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (4 ratings)
rudenko.alexander Thu, 07/09/2009 - 06:50


What's your CPU usage when you enable ip inspect or ZFW?

Have you used aplication inspection for HTTP traffic, in terms of ZFW?

graham.fleming Thu, 07/09/2009 - 07:30

Thanks for the reply.

CPU usage and memory are all fine with or without firewall turned on.

We have tried with just basic TCP and UDP inspection or with the entire gamut of application protocol inspections including HTTP and HTTPS and we still get these intermittent, strange slowdowns.

It doesn't seem to be related to bandwidth (WAN saturation) or to connection totals (ie the slowdowns happen with 100 current sessions or 400 current sessions).

Alex Yeung Thu, 07/09/2009 - 08:18


Few things to check here.

1. which IOS release are you using?

2. do you see out-of-order packet drops in log messages?

3. try use "ip virtual-reassembly" interface command on both sides of the FW

4. did you change any of the IOS FW DoS protection settings?

5. for CBAC, use "sh ip inspect sessions" to see how many sessions are being currently tracked by IOSFW?

6. use "sh ip inspect config" to look at the max-incomplete sessions setting

7. in CBAC and when using "ip inspect http", then by default IOSFW will inspect java applets, which is quite CPU intensive. To resolve this, use a java-list option at the end of the "ip inspect http" to by-pass java applet inspection

Alex Yeung

graham.fleming Thu, 07/09/2009 - 08:28

1. See original post

2. I don't see any of these messages

3. ip virtual-reassembly is already enabled on both interfaces

4. Initially none of the DoS settings were changed, but I have tweaked them in an effort to see if it helps.

5. As mentioned in a previous post, the slowdowns seem to be unrelated to how many active sessions there are or bandwith usage.

6. Max-incomplete per host is set at 50

7. CPU usage never goes above 80% so I am not concerned about this.

Thanks for your reply and assistance!

goulin Mon, 08/16/2010 - 05:24


I seem to be experiencing the same thing.  Did you ever find a resolution?



graham.fleming Mon, 08/16/2010 - 11:42

I'm pretty sure we fixed it with an IOS update. What version are you running, and what device?

Kureli Sankar Mon, 08/16/2010 - 11:47

With CBAC just use the 4 basic inspections and remove the rest. Look for ip inspection lines in the config.





If you like to go with ZBF (zone based firewall) then pls. upgrade the code to 15.1.2M code.


goulin Mon, 08/16/2010 - 15:58

Hi Guys,

Thanks for the prompt response.  In answer to your questions:

Graham - using 1841 with 12.4(9)T1 - I'd like to go to a newer IOS but the router only has 128MB RAM, so that's the max I can go.  Can you advise what IOS level you upgraded to resolve the issue?  We are going to buy some RAM for the router, and was thinking of going either the latest (12.4(24)T3) or the latest (12.4(15)T) stream.

Also, to both... I have the following inspection enabled and applied:

ip inspect log drop-pkt
ip inspect tcp finwait-time 30
ip inspect tcp max-incomplete host 100 block-time 10
ip inspect name CBAC-inspect tcp
ip inspect name CBAC-inspect udp
ip inspect name CBAC-inspect ftp
ip inspect name CBAC-inspect http
ip inspect name CBAC-inspect https
ip inspect name CBAC-inspect dns
ip inspect name CBAC-inspect icmp
ip inspect name CBAC-inspect l2tp
ip inspect name CBAC-inspect pptp
ip inspect name CBAC-inspect ipsec-msft
ip inspect name CBAC-inspect tftp
ip inspect name CBAC-inspect ssh
ip inspect name CBAC-inspect sip
ip inspect name CBAC-inspect ntp
ip inspect name CBAC-inspect smtp

I can't see any performance issues on the router (CPU not even above 10%).  The only thing I am thinking of is maybe it is double handling the traffic (i.e. does it do inspection using the http and tcp rule at the same time for web traffic and is this process switched?)

This is applied outbound on my external interface.

I am not using ZBF, nor do I intend to, and I'd prefer to stay the 12.4T stream (need the T stream as opposed to 12.4 because we have a HWIC in there).



graham.fleming Mon, 08/16/2010 - 16:34

As an experiment you could try disabling the inspection of http and https traffic (tcp will take care of it). And to answer your question, it's a top-down approach. So http traffic will get inspected and will not reach the tcp statement.

As far as IOS we went to the latest 12.4.15T release

goulin Mon, 08/16/2010 - 17:10

Thanks Graham.  Just to clarify your setup, when you upgraded to 12.4(15)T and resolved the issue, did you still have the ip inspect for the Layer

7 protocols (i.e. http and https), or had you removed these and just left the tcp/udp inspection?

Kureli Sankar Mon, 08/16/2010 - 19:15

Pls. leave just these inspections and remove the rest.

ip inspect name CBAC-inspect tcp
ip inspect name CBAC-inspect udp
ip inspect name CBAC-inspect ftp

Let us know if you still see latency. Watch the logs if you do and paste the output here if you still the problem.


graham.fleming Mon, 08/16/2010 - 23:30

Sorry my memory isn't serving me well enough to answer you (we have long since switched to using zone-based firewall). However, I think disabling the inspection of http/https traffic solved the issue for us.

goulin Tue, 08/17/2010 - 20:41

Hi Graham,

Thanks for your help!  I will remove the http and https inspection and see how I go.

Just a question re you ZBF configuration.  Are you able to inspect http and https without any performance degregation?  If so, I might decide to ditch CBAC and move towards ZBF.



goulin Sat, 09/18/2010 - 03:33

FYI - if anyone stumbles across this.  I managed to resolve the issue with both http and https inspection still enabled by upgrading the IOS to a higher revision (12.4(24)T4).

Kureli Sankar Sat, 09/18/2010 - 06:31

You probably ran into the issues with both http and https due to this defect CSCsv78844.

you can go to the above link login with your CCO ID and then
key in this defect ID  CSCsv78844 and CSCsr57417

OOO (Out Of Order) packet support was implemented starting at 15.0(01)M which has the fix.

In some cases the problem was NOT observed on 12.4.(24)T2 but was observed in 12.4(24)T3. I am glad 12.4(24)T4 resolved the issue for you.

Upgrading to 15.1.2M or the latest will resolve the issue but, I believe 15.x requires memory upgrade.


My router a C837 Software (C837-K9O3Y6-M), Version 12.4(4)T4, RELEASE SOFTWARE (fc2) showed the same issue. I suspect the problem appeared appeared when I enabled VPN since the inspect settings have been the same for years. Anyway disabling inspect of http and https and relying on gave an almost 100x bandwidth improvment!

Thanks for the help. My inspect settings are currently:-

p inspect max-incomplete low 20
ip inspect one-minute low 20
ip inspect udp idle-time 15
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 1
ip inspect tcp synwait-time 15
no ip inspect name INTERNET-OUT
ip inspect name INTERNET-OUT cddbp alert on audit-trail on
ip inspect name INTERNET-OUT dns alert   on audit-trail off
ip inspect name INTERNET-OUT ftp alert   on audit-trail off
!ip inspect name INTERNET-OUT http alert  on audit-trail off
!ip inspect name INTERNET-OUT https alert on audit-trail off
ip inspect name INTERNET-OUT imaps alert on audit-trail off
ip inspect name INTERNET-OUT nntp alert  on audit-trail off
ip inspect name INTERNET-OUT ntp alert   on audit-trail off
!ip inspect name INTERNET-OUT pop3 alert  on audit-trail off
ip inspect name INTERNET-OUT smtp alert  on audit-trail on
ip inspect name INTERNET-OUT ssh alert   on audit-trail off
ip inspect name INTERNET-OUT udp alert   on audit-trail on
ip inspect name INTERNET-OUT tcp alert   on audit-trail on
ip inspect name INTERNET-OUT fragment maximum 2 timeout 1

Regards Fergus.

thiru.vel10 Wed, 09/28/2011 - 05:22

Hi All,

I have similar problem,  was working fine suddenly web access started.

Rotuer Model : Cisco 2821

IOS: c2800nm-advipservicesk9-mz.124-15.T9.bin ( Running EIGRP and Crypto VPN tunnel)

I have configured inspect only for UDP, TCP and HTTP but luck.  Shall go for IOS upgrade.

I have 256 MB Ram and 64 Mb flash so unable to go in 12.4(24)T



This Discussion