1721 resetting port 80 tcp connections - troubleshooting

Unanswered Question

I have a 1721 with ios 12.3(7)T (image c1700-k9o3sy7-mz.123-7.T.bin) which works wonderfully well... for awhile. With no warning, outward signs or periodicity it suddenly starts sending tcp resets to clients attempting to connect to port 80 from the outside.


This router is configured to do a lot of things and all other functionality tests out fine while it is killing port 80 connections. Amongst the many other things it is doing successfully: port-mapping tftp traffic, port-mapping smtp traffic, port-mapping sntp traffic, port-mapping syslog traffic, site-to-site vpn tunnel with an 827 over an adsl connection, vpn client connections, acl's, split vpn tuneling, etc.


I've exhausted all the troubleshooting tricks I know. Basically:


o "sh access-lists" shows that the incoming client connection requests for port 80 are permitted by the acl on the d0 interface.


o Port mapping to the web server is configured in the customary manner:

ip nat inside source static tcp 10.0.0.5 80 interface dialer0 80 !www


o cbac is being used, but NOT for port 80 traffic:

! following rem'd - reported problems with java - rely on tcp inspection

! ip inspect name my-out-rules http alert on timeout 3600


o Logs files on the destination web server show no http requests or other evidence of the connection attempt.


o Running snort on the same network as the web server shows no http requests or other evidence of the connection attempt.


o The only debugging output I've examined is "debug ip packets detail" which yields:

Mar 30 10:52:25: IP: s=111.111.111.111 (Dialer0), d=222.222.222.222 (Dialer0), len 48, rcvd 3

Mar 30 10:52:25: TCP src=3575, dst=80, seq=2003803651, ack=0, win=16384 SYN

Mar 30 10:52:25: IP: s=222.222.222.222 (local), d=111.111.111.111 (Dialer0), len 40, sending

Mar 30 10:52:25: TCP src=80, dst=3575, seq=0, ack=2003803652, win=0 ACK RST



Is this possibly a hardware problem? An ios bug perhaps? Could cbac be the culprit? Can anyone offer some suggestions?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gfullage Wed, 03/31/2004 - 20:16
User Badges:
  • Cisco Employee,

It's probably CBAC, where you've reached either your default connection limit or your default 3way handshake limit, and CBAC thinks there's an attack going on and is resetting the connections. Basically it's doing its job with the default configuration.


Use the hidden command "sho ip inspect stat" to see if you hit any of your limits. If any of them are reached, use the "ip inspect ?" command to see how to increase the default. Or use the command reference here:


http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt3/scdcbac.htm#1001343

Thanks for the recommendation. I checked the cbac stats (and the ip audit stats as well) and found nothing unusual.


After downgrading to limited deployment IOS 12.2(7r)XM1, RELEASE SOFTWARE (fc1) c1700-k9o3sy7-mz.123-6.bin, the router has been up for the past 72 hours with no signs of the problem. Seems it's another ios bug ...

Actions

This Discussion