cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11243
Views
19
Helpful
19
Replies

Slow web connections with ip inspect (CBAC) turned on

graham.fleming
Level 1
Level 1

Hey guys,

I have seen this a couple of times on two different routers. One is a 3745 and another a 1811 running 12.4(15)T4 and 12.4(6)T11, respectively.

When we have IOS firewall running (either IP inspect or ZFW), we will experience intermittent slow HTTP connections.

Symptoms include page timeouts, CSS not loading and just overall slow performance. Disabling the inspection cures the issues.

Has anyone ever seen this before? Any ideas? Thanks!

19 Replies 19

Hi

What's your CPU usage when you enable ip inspect or ZFW?

Have you used aplication inspection for HTTP traffic, in terms of ZFW?

Thanks for the reply.

CPU usage and memory are all fine with or without firewall turned on.

We have tried with just basic TCP and UDP inspection or with the entire gamut of application protocol inspections including HTTP and HTTPS and we still get these intermittent, strange slowdowns.

It doesn't seem to be related to bandwidth (WAN saturation) or to connection totals (ie the slowdowns happen with 100 current sessions or 400 current sessions).

Hi,

Few things to check here.

1. which IOS release are you using?

2. do you see out-of-order packet drops in log messages?

3. try use "ip virtual-reassembly" interface command on both sides of the FW

4. did you change any of the IOS FW DoS protection settings?

5. for CBAC, use "sh ip inspect sessions" to see how many sessions are being currently tracked by IOSFW?

6. use "sh ip inspect config" to look at the max-incomplete sessions setting

7. in CBAC and when using "ip inspect http", then by default IOSFW will inspect java applets, which is quite CPU intensive. To resolve this, use a java-list option at the end of the "ip inspect http" to by-pass java applet inspection

Alex Yeung

1. See original post

2. I don't see any of these messages

3. ip virtual-reassembly is already enabled on both interfaces

4. Initially none of the DoS settings were changed, but I have tweaked them in an effort to see if it helps.

5. As mentioned in a previous post, the slowdowns seem to be unrelated to how many active sessions there are or bandwith usage.

6. Max-incomplete per host is set at 50

7. CPU usage never goes above 80% so I am not concerned about this.

Thanks for your reply and assistance!

Hi,

I seem to be experiencing the same thing.  Did you ever find a resolution?

Thanks,

goulin

I'm pretty sure we fixed it with an IOS update. What version are you running, and what device?

With CBAC just use the 4 basic inspections and remove the rest. Look for ip inspection lines in the config.

icmp

ftp

tcp

udp

If you like to go with ZBF (zone based firewall) then pls. upgrade the code to 15.1.2M code.

-KS

Hi Guys,

Thanks for the prompt response.  In answer to your questions:

Graham - using 1841 with 12.4(9)T1 - I'd like to go to a newer IOS but the router only has 128MB RAM, so that's the max I can go.  Can you advise what IOS level you upgraded to resolve the issue?  We are going to buy some RAM for the router, and was thinking of going either the latest (12.4(24)T3) or the latest (12.4(15)T) stream.

Also, to both... I have the following inspection enabled and applied:

ip inspect log drop-pkt
ip inspect tcp finwait-time 30
ip inspect tcp max-incomplete host 100 block-time 10
ip inspect name CBAC-inspect tcp
ip inspect name CBAC-inspect udp
ip inspect name CBAC-inspect ftp
ip inspect name CBAC-inspect http
ip inspect name CBAC-inspect https
ip inspect name CBAC-inspect dns
ip inspect name CBAC-inspect icmp
ip inspect name CBAC-inspect l2tp
ip inspect name CBAC-inspect pptp
ip inspect name CBAC-inspect ipsec-msft
ip inspect name CBAC-inspect tftp
ip inspect name CBAC-inspect ssh
ip inspect name CBAC-inspect sip
ip inspect name CBAC-inspect ntp
ip inspect name CBAC-inspect smtp

I can't see any performance issues on the router (CPU not even above 10%).  The only thing I am thinking of is maybe it is double handling the traffic (i.e. does it do inspection using the http and tcp rule at the same time for web traffic and is this process switched?)

This is applied outbound on my external interface.

I am not using ZBF, nor do I intend to, and I'd prefer to stay the 12.4T stream (need the T stream as opposed to 12.4 because we have a HWIC in there).

Cheers,

goulin

As an experiment you could try disabling the inspection of http and https traffic (tcp will take care of it). And to answer your question, it's a top-down approach. So http traffic will get inspected and will not reach the tcp statement.

As far as IOS we went to the latest 12.4.15T release

Thanks Graham.  Just to clarify your setup, when you upgraded to 12.4(15)T and resolved the issue, did you still have the ip inspect for the Layer

7 protocols (i.e. http and https), or had you removed these and just left the tcp/udp inspection?

Pls. leave just these inspections and remove the rest.

ip inspect name CBAC-inspect tcp
ip inspect name CBAC-inspect udp
ip inspect name CBAC-inspect ftp

Let us know if you still see latency. Watch the logs if you do and paste the output here if you still the problem.

-KS

Sorry my memory isn't serving me well enough to answer you (we have long since switched to using zone-based firewall). However, I think disabling the inspection of http/https traffic solved the issue for us.

Hi Graham,

Thanks for your help!  I will remove the http and https inspection and see how I go.

Just a question re you ZBF configuration.  Are you able to inspect http and https without any performance degregation?  If so, I might decide to ditch CBAC and move towards ZBF.

Thanks,

goulin

FYI - if anyone stumbles across this.  I managed to resolve the issue with both http and https inspection still enabled by upgrading the IOS to a higher revision (12.4(24)T4).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: