This is quite a common occurrence on a busy router, since you can easily overrun the default threshold values so that the router thinks there's an attack going on and starts blocking new connections. You always need to monitor CBAC and set your values to a point where "normal" traffic doesn't exceed them, but in the event of an attack you'll be somewhat protected.
First off, if you're not filtering out Java applets, turn off the HTTP inspection, it only causes slow response and has no effect if you not filtering Java. The standard TCP inspection will take care of all the HTTP traffic and allow it back in.
Then you can use the following hidden command:
> sho ip inspect stat
to see what your current threshold values are set at and what level you're currently hitting. The deault threshold amounts are detailed here:
The max-incomplete-high and low and the one-minute high and low are what you'll want to increase if you're overrunning them with your standard traffic. There's no problem with increasing these, just don't make them enormous cause then even in the event of an attack you'll never hit them. You'll need to play around with them for a while and get them to a point where you're not hitting the thresholds with normal traffic, but where an increase in this traffic (suggesting a possible attack), would hit the limits.
The easiest way to see if your router has hit the limit is to turn on syslogging on it, when a thresold is reached you'll get a console message saying the router "is getting aggressive", meaning your high threshold value has been reached and the router is stopping new connections from coming through, deleting old ones, and generally slowing everything down. When you see a message "calming down", it means your low threshold value has been reached and the router is putting everything back to normal. Under normal circumstances you don't want to see the "getting aggressive" message cause it'll cause problems to your traffic.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...