Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CBAC blocking Windows 7 upload

Hello,

Since upgrading some of computers in my LAN to Windows 7 they all experience upload issues. I have narrowed it down to CBAC inspection on my Cisco 1711 router, I am running IOS 12.3 I have a simple CBAC inspection set for TCP/UDP only without any application-specific inspects. Download works fine however upload does not seem to work atl all- unless I disable the ip inspection. It is all working fine for any Windows XP but not for Windows 7 machines. Is this a known issue, I am not sure how I can go about this - I don't want to build ACLs now for outside interface and disable stateful inspection mechanisms because CBAC has been working fine for me until recently. Thanks for any suggestions.

1 ACCEPTED SOLUTION

Accepted Solutions

CBAC blocking Windows 7 upload

Hello Artur,

Really, sounds like a bug, I will search on this to find what is going on.

Thank you for the update.

Please mark the question as answered so future users with the same issue now what to do.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
7 REPLIES

CBAC blocking Windows 7 upload

Hello Artur,

Can you show us the the logs CBAC is reporting while you make an upload.

You can enable the command "ip inspect log drop-pkt"

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: CBAC blocking Windows 7 upload

Thank you Julio, what sort of logs would you like to see? I set the:

ip inspect log drop-pkt

and also

debug ip insp tcp

debug ip insp udp

debug ip insp events

and I am attaching the exract when I initiated http upload. It looks like the packets are dropped because they're out of sequence, I was trying to upload to ip 87.248.121.213 (flickr in this case).

Re: CBAC blocking Windows 7 upload

Hello,

That is the issue! CBAC will do a deep inspection on the TCP stack and it will see the out of order packets and will drop them, You will need to solve that problem on the inside on your network ( packets out of order) but at this moment CBAC is doing its job.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

CBAC blocking Windows 7 upload

Well, this is Windows 7, how can I force it? Again, I don't have this problem with Windows XP. It looks like the issue was addressed with newer IOS version with ip insp tcp reassembly command.

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_ooop.html

CBAC blocking Windows 7 upload

Hello,

The thing is that reassembly is for the out of order packets not out of sequence,

I will investigate on this and let you know.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

CBAC blocking Windows 7 upload

Thank you Julio but I found the solution - it was IOS upgrade. When I ugraded my 12.3-11 to 12.4-15 it started to work on exactly the same configuration, I did not change anything.

CBAC blocking Windows 7 upload

Hello Artur,

Really, sounds like a bug, I will search on this to find what is going on.

Thank you for the update.

Please mark the question as answered so future users with the same issue now what to do.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
477
Views
0
Helpful
7
Replies
CreatePlease login to create content