Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ip inspect breaks tunnelled traffic

I've been trying to work around a problem that has been driving me nuts for a long time. As far as I can tell IP INSPECT on 871's and 1811's (models I've tested) using a range of IOS versions from 12.3.8 to 12.4.11t can not handle sending traffic over a VPN if IP INSPECT for that particular protocol is enabled. The configurations are standard SDM created configs. Nothing weird just internet access & one vpn.

With ip inspect tcp enabled, no tcp traffic works for more than a few seconds over the VPN tunnel. With it off, VPN tunnel traffic works fine. How can this be? Should the router not be able to do firewalling and vpn at the same time? I have tried this on several different routers and to different platforms at the other end of the VPN (ASA, PIX, 1811, 1841). This is an error message I have seen:

Mar 14 00:44:26.343: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 192.168.15.10:2997 => 192.168.16.10:445 due to Invalid Segment -- ip ident 49176 tcpflags 0x5010 seq.no 1430090952 ack 2420612329

As a work around I disabled ip inspect on tcp and udp and enabled it on a bunch of specific protocols. This is OK for a short-term solution but it means that only the applications for which ip inspect is enabled work through the firewall (which mean http, https, ftp etc) and one day I can guarantee the client will want to use other applications not currently supported without using ip inspect tcp/udp.

The set-up I am trying to get working is not abnormal, in fact I would imagine 80% of 1811 installs out there use the same. Any ideas how to fix this?

3 REPLIES
New Member

Re: ip inspect breaks tunnelled traffic

OK, I think I've fixed it. I cranked the MTU down to 1300 from 1340 and enabled the ip inspect both in and out on the outside interface of the router. Seems to work much better now...

New Member

Re: ip inspect breaks tunnelled traffic

Its more likely the hardware encryption engine.

Try "no crypt engine accel"

to turn off the hardware encryption...wich interfeers with CBAC in these SW versions.

Kdam

New Member

Re: ip inspect breaks tunnelled traffic

Kelvin,

How did you know hardware encryption and CBAC don't play nicely together? I was having the exact same problem, entered "no crypt engine accel" and all is working great.

I'm running 12.4(11)T. Do you know if this has been fixed in a later version of IOS?

Your post has saved me hours of troubleshooting.

thanks

Bruno

215
Views
5
Helpful
3
Replies
CreatePlease to create content