Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Zone based firewall slowing downloads

I have a customer with an 877 series router with a zone-based firewall configuration. If they try to download anything the speed slows to a crawl and becomes almost unresponsive. I have tested with the zone pairs unapplied and it is fine. Can anyone point out what I need to remove/change from this config to improve things? Many thanks in advance.

  • Firewalling
9 REPLIES
Cisco Employee

Zone based firewall slowing downloads

If they are http downloads, you can try to remove the http inspections on your policy.

class-map type inspect match-any ccp-cls-insp-traffic

no match protocol http

policy-map type inspect ccp-inspect

no class type inspect ccp-protocol-http

Then, if the issue persist, you can enable the logs of Zone based to see if packets are being dropped

router(config)# ip inspect log drop-pkt

Then enable the logs and see what appears there, if you get drops due to straight segment mostlikely they are Out of Order packets and you will need to double check the link with your ISP. Other logs may tell you that they are indeed out of order packets.

The reason why it works with the Zone based off, is because (if the root cause is out of order and not just the inspection causing delay) the Router dont care if the packets come out of Order, it is just in charge of routing them.

Let me know if you have questions.

Mike

Mike
New Member

Zone based firewall slowing downloads

Thanks for the reply. I am sure I have tried removing the inspection and it didnt help. I will try it again tomorrow just in case. I will let you know how I get on.

Cisco Employee

Zone based firewall slowing downloads

Fair enough,

Keep me updated.

Mike

Mike
New Member

Zone based firewall slowing downloads

I tried taking the http inspection rules out and had the same problem.

debug messages :

000168: Feb  9 14:26:06.108 gmt: %FW-6-DROP_PKT: Dropping tcp session 195.74.103.133:33032 192.168.1.1:25  due to  Out-Of-Order Segment with ip ident 0

000169: Feb  9 14:26:36.156 gmt: %FW-6-DROP_PKT: Dropping tcp session 173.194.41.130:80 192.168.1.11:53846  due to  Out-Of-Order Segment with ip ident 0

000170: Feb  9 14:27:06.459 gmt: %FW-6-DROP_PKT: Dropping tcp session 195.74.103.133:33032 192.168.1.1:25  due to  Out-Of-Order Segment with ip ident 0

000171: Feb  9 14:27:36.823 gmt: %FW-6-DROP_PKT: Dropping tcp session 173.194.41.131:80 192.168.1.11:53823  due to  Out-Of-Order Segment with ip ident 0

000172: Feb  9 14:28:08.007 gmt: %FW-6-DROP_PKT: Dropping tcp session 173.194.41.130:80 192.168.1.11:53897  due to  Out-Of-Order Segment with ip ident 0

000173: Feb  9 14:28:46.336 gmt: %FW-6-DROP_PKT: Dropping tcp session 61.206.117.4:56336 192.168.1.1:25  due to  Retransmitted Segment with Invalid Flags with ip ident 0

Cisco Employee

Zone based firewall slowing downloads

Just what I suspected. Would you be able to contact your Carrier and check their circuit?

Mike

Mike
New Member

Zone based firewall slowing downloads

Hi Mike. I found this thread and think it may be the answer to my problem. I am going to try and give it a try in the next few days. I am very busy at the moment and going on leave next week so cannot guarantee it will be done next week but I will let you know how it goes.

http://www.dslreports.com/forum/remark,24332834

Thanks for your assistance with this.

Cisco Employee

Zone based firewall slowing downloads

If I am not mistaken, that parameter map for OoO packets is available on version 15 and higher, it may alleviate the issue, (never worked for me thou) but, if it does, then great. Let me know how it goes.

Mike.

Mike
New Member

Zone based firewall slowing downloads

Not an option to upgrade unfortunately. Not enough ram or flash on the router.

Looks like we will have to rebuild the router without the zone based firewall.

Oh well. Thanks for your input anyway.

New Member

Zone based firewall slowing downloads

Hi, I had exactly the same experience on an SR520 (basically an 877 with a different case) so maybe the 877 is not up to ZBFW but having said that the CPU never really broke a sweat.  Speedtest just showed up and downloaded running about 25% of what they did on the classic firewall.

This is our home router so we had a chance to play but I couldn't get the performace to match the classic so we're back on that. Might be a software version thing.  I don't have smartnet so I can't test this.

Nick

1690
Views
0
Helpful
9
Replies
This widget could not be displayed.