I have a customer with an 877 series router with a zone-based firewall configuration. If they try to download anything the speed slows to a crawl and becomes almost unresponsive. I have tested with the zone pairs unapplied and it is fine. Can anyone point out what I need to remove/change from this config to improve things? Many thanks in advance.
If they are http downloads, you can try to remove the http inspections on your policy.
class-map type inspect match-any ccp-cls-insp-traffic
no match protocol http
policy-map type inspect ccp-inspect
no class type inspect ccp-protocol-http
Then, if the issue persist, you can enable the logs of Zone based to see if packets are being dropped
router(config)# ip inspect log drop-pkt
Then enable the logs and see what appears there, if you get drops due to straight segment mostlikely they are Out of Order packets and you will need to double check the link with your ISP. Other logs may tell you that they are indeed out of order packets.
The reason why it works with the Zone based off, is because (if the root cause is out of order and not just the inspection causing delay) the Router dont care if the packets come out of Order, it is just in charge of routing them.
Let me know if you have questions.
Thanks for the reply. I am sure I have tried removing the inspection and it didnt help. I will try it again tomorrow just in case. I will let you know how I get on.
I tried taking the http inspection rules out and had the same problem.
debug messages :
000168: Feb 9 14:26:06.108 gmt: %FW-6-DROP_PKT: Dropping tcp session 220.127.116.11:33032 192.168.1.1:25 due to Out-Of-Order Segment with ip ident 0
000169: Feb 9 14:26:36.156 gmt: %FW-6-DROP_PKT: Dropping tcp session 18.104.22.168:80 192.168.1.11:53846 due to Out-Of-Order Segment with ip ident 0
000170: Feb 9 14:27:06.459 gmt: %FW-6-DROP_PKT: Dropping tcp session 22.214.171.124:33032 192.168.1.1:25 due to Out-Of-Order Segment with ip ident 0
000171: Feb 9 14:27:36.823 gmt: %FW-6-DROP_PKT: Dropping tcp session 126.96.36.199:80 192.168.1.11:53823 due to Out-Of-Order Segment with ip ident 0
000172: Feb 9 14:28:08.007 gmt: %FW-6-DROP_PKT: Dropping tcp session 188.8.131.52:80 192.168.1.11:53897 due to Out-Of-Order Segment with ip ident 0
000173: Feb 9 14:28:46.336 gmt: %FW-6-DROP_PKT: Dropping tcp session 184.108.40.206:56336 192.168.1.1:25 due to Retransmitted Segment with Invalid Flags with ip ident 0
Hi Mike. I found this thread and think it may be the answer to my problem. I am going to try and give it a try in the next few days. I am very busy at the moment and going on leave next week so cannot guarantee it will be done next week but I will let you know how it goes.
Thanks for your assistance with this.
If I am not mistaken, that parameter map for OoO packets is available on version 15 and higher, it may alleviate the issue, (never worked for me thou) but, if it does, then great. Let me know how it goes.
Not an option to upgrade unfortunately. Not enough ram or flash on the router.
Looks like we will have to rebuild the router without the zone based firewall.
Oh well. Thanks for your input anyway.
Hi, I had exactly the same experience on an SR520 (basically an 877 with a different case) so maybe the 877 is not up to ZBFW but having said that the CPU never really broke a sweat. Speedtest just showed up and downloaded running about 25% of what they did on the classic firewall.
This is our home router so we had a chance to play but I couldn't get the performace to match the classic so we're back on that. Might be a software version thing. I don't have smartnet so I can't test this.