I tried that as well. Realize the only difference between suggestions and original config are the placement of the inspect statements. I'm pretty sure they are equivelant. Anyhow, no dice.

Here is exactly what I have.

ip inspect name SDM_LOW tcp timeout 3600

ip inspect name SDM_LOW udp timeout 300

!

int fa0/1

description OUTSIDE

ip access-group 103 in

!

int vlan 1

description INSIDE

ip access-group 100 in

ip inspect SDM_LOW in

!

ip access-list extended 103

10 deny SPOOFED STUFF

20 deny BAD PROTOCOLS

...(permit inbound services like http & ssh to specific hosts)

1200 deny ip any any log

!

ip access-list extended 100

10 deny SPOOFED STUFF

...(more spoofed stuff)

50 permit ip any any

Now if I remove the ip inspect statements and add "20 permit tcp any any established" to the ACL 103 outbound works fine.

Otherwise Internet browsing works sometimes. It almost seems like CBAC is doing some sort of content filtering but that doesn't make sense. For instance it pulls up http://www.cdw.com but many images are broken. Works fine with some pages and awfully with others.

I have tried your solution and unfortunately I have not seen that it helps the situation any. I am personally leaning to a Cisco IOS issue. What are the commonalities between each of our issues? The following are my specs:

- Cisco 2821 Router

- c2800nm-advsecurityk9-mz.124-9.T1.bin

When I first began having this issue I was running c2800nm-adventerprisek9-mz.124-10. I have since then switched to c2800nm-advsecurityk9-mz.124-3g. Changing to the only GD code for 12.4 Security didn't help.

Hello,

What's the output of a show ip inspect all?

The only thing I can think of if it's 'intermittent' is that you are hitting some of the connection limitations (max incomplete or one minute high/low). this would explain why you would get part of the cdw page - but some images (which are coming from other sites) might be incomplete, as those would be new http connections to those sites.

--Jason

Currently my show ip inspect all is as followed.

RTR1#show ip inspect all

Session audit trail is disabled

Session alert is enabled

one-minute (sampling period) thresholds are [400:500] connections

max-incomplete sessions thresholds are [400:500]

max-incomplete tcp connections per host is 50. Block-time 0 minute.

tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec

tcp idle-time is 3600 sec -- udp idle-time is 30 sec

dns-timeout is 5 sec

Inspection Rule Configuration

Inspection name SDM_LOW

http java-list 99 url-filter is on alert is on audit-trail is off timeout 36

00

(Output Omitted)

Interface Configuration

Interface MFR0.646

Inbound inspection rule is not set

Outgoing inspection rule is SDM_LOW

http java-list 99 url-filter is on alert is on audit-trail is off timeout 36

00

(Output Omitted)

Inbound access list is 103

Outgoing access list is not set

Established Sessions

(Output Omitted)

All right.

Well, I've had some problems in various locations with this, it *may* or may not be the same issue.

A couple of recommendations:

enable the audit trail so you can see what inspects 'issue' is.

ip inspect audit-trail

also, I would increase all the session thresholds (note - if you're worried about hosts doing DOS attacks, then play with these numbers):

ip inspect max-incomplete high 5000

ip inspect max-incomplete low 4800

ip inspect one-minute high 5000

ip inspect one-minute low 4800

ip inspect udp idle-time 60

ip inspect tcp idle-time 43200

ip inspect tcp synwait-time 60

ip inspect tcp max-incomplete host 200 block-time 0

I would then try the connections again and see how it goes - turn the log buffer up to debug and see what inspect is complaining about.

Hope this helps!

--Jason

Please rate this message if it solves some or all of your question/issue.