1720 with CBAC and VPN connection via ethernet outside to the internet

ugriemert · ‎01-29-2002

For a vpn connection we have a 1720 with CBAC connected to the internet via an ethernet interface to an SDLC modem (2Mbit/s). Activating a full set of inspection rules performance to the internet slows down from 200 kByte/s to 2-5 kByte/s, many timeouts and output errors on the ethernet interface occur.

Omitting the http inspection, performance returns to 200 kByte/s, with less output errors and timeouts.

This happened with images from 12.1-5YB1 to 12.2-4.T1. This problem is at TAC since Nov. 2001 and no solution up to now.

Does anybody an idea about this problem or does anybody experience this problem too?

j-block · ‎02-04-2002

It sounds like you might be overworking the 1700. I’m sure the TAC has looked at memory and CPU but if not, take a look. You might need to upgrade your router, not the IOS.

cjacinto · ‎02-25-2002

Try to lessen the inspection rules, and also are you doing some form of IDS loggin as well? If you do,

take it. CPU might be too busy to process all of this (show cpu util and processes would show this).

ugriemert · ‎03-08-2002

thanks for your reply!

its definitely no problem of cpu load.

i forgot to mention, that this effect doesn't exist at all when using a serial interface to the internet.

cisco is obviously (i hope) working on that problem, because i get e-mails of CE-pend since about 4 weeks, but no solution!

jfrahim · ‎03-02-2002

With http inspection, IOS FW looks for any embadded java applets. This process utilizes the resources on the router. I am just wondering if Java filtering is something that you are looking for?

Jazib

ugriemert · ‎03-08-2002

thanks for your reply!

its definitely no problem of cpu load.

i forgot to mention, that this effect doesn't exist at all when using a serial interface to the internet.

cisco is obviously (i hope) working on that problem, because i get e-mails of CE-pend since about 4 weeks, but no solution!