Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
366
Views
0
Helpful
1
Replies

IOS CBAC and ACL on 2801 router with Adv Security

Tim Smith
Level 4
Level 4

‎01-19-2006 06:29 AM - edited ‎02-20-2020 09:35 PM

Hi,

Just wondering if CBAC has a limitation on how many sessions it can keep open?

Im not looking at half open sessions. I realise this is a seperate setting.

I basically have IP Inspect setup and it has been working fine. Recently there has been a huge increase in DNS requests from our site which is getting counted by CBAC. Only a couple of TCP sessions are making it through to the open state.

Any ideas or helpful debugs for this one? Have had a look at the standard ones.

It seems that the outside ACL is blocking the return packets for certain sessions. Almost like the IP INSPECT tables are full and it doesnt count those sessions any more and open the dynamic return path.

Sorry if that was a bit vague! Running on way too little sleep here!

Cheers,

Tim.

Labels:
0 Helpful
1 Reply 1

s-doyle
Level 3
Level 3

‎01-25-2006 06:49 AM

Can you send me the following informations regarding your connections.

1. output of show ip inspect stats

2. show log

Also, can you give me an estimate of how many half open sessions you have on an average.

These details will give me more idea on the problem.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents