lately observerd that even pop3 ( port 110 ) has problem . Few of the sites report http issues with the browser just showing " opening the page " and nothing appears. Once we remove intercept everything works fine.
Few more inputs on the setup. We have hundereds of remotes sites which come on private IPs and get NATed at the 7206 router and access internet. Of the late we are noticing lot of Syn attacks at the router and the CPU going 100%, that is the reason we thought of having tcp intercept implemented.
Well, I work for a web hosting company and we get the same kind of SYN attacks. The same symptoms .... CPU % maxes out .... TCP intercept will NOT help you with this. We tried .... We turned on Turbo ACL but it doesn't really help much either. I suggest opening a case with the TAC and they will help you to discover if you can prevent this from happening. From experience, You'll just have to wait it out ....
fyi .... We have 7206 vxr's (2) at our border with npe-400's .... we just got a 7206 vxr with a npe-g1 but have not had a chance to put it up against a syn attack yet. Good luck .....
you can contact me if you want to and I can give a point of contact at Cisco (that I have worked with) to help get you started.
The problem is I cannot create a TAC case, I have option of only using open forum with my ID. Please let me know how you how you have handled the syn attacks , your suggestion would be highly appreciated.
Well, you can always contact your ISP and try to convince them to place a filter at their end. Not at the other end of the link though. (that would just tie up the router at the other end of your link) But rather, somewhere else in their network that would filter the offending address range yet allow you to still pass other traffic back and forth. (btw ... This is the exact info I got from the TAC as well) ... Good luck.
This document gives several answers on frequently asked questions for PFRv3 channel state behavior.
Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st...
The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).
The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.
I couldn't connect to the hos...