Hi Edison,

Thanks for your reply, I have included a bigger portion of the running config. I hope this helps.

note: aaa.aaa.aaa = first 3 octets of primary T1 circuit and bbb.bbb.bbb = first 3 octets of DSL circuit.

Thanks

Carl

ip inspect tcp max-incomplete host 25 block-time 5

ip inspect name firewalled tcp timeout 3600

ip inspect name firewalled udp timeout 15

ip inspect name firewalled icmp

ip inspect name firewalled h323 timeout 3600

ip inspect name firewalled realaudio timeout 3600

ip inspect name firewalled http java-list 51 urlfilter timeout 30

ip ips signature 2004 0 disable

ip ips signature 2005 0 disable

ip ips name IDS

ip urlfilter allow-mode on

ip urlfilter cache 64000

ip urlfilter urlf-server-log

ip urlfilter server vendor websense 172.20.51.38

ip sla monitor 1

type echo protocol ipIcmpEcho aaa.aaa.aaa.233

timeout 1000

threshold 40

frequency 3

ip sla monitor schedule 1 life forever start-time now

ip sla monitor 2

type echo protocol ipIcmpEcho bbb.bbb.bbb.209

timeout 1000

threshold 40

frequency 3

ip sla monitor schedule 2 life forever start-time now

!

track 1 rtr 1 reachability

!

track 2 rtr 2 reachability

!

interface FastEthernet0/0

ip address 172.21.160.129 255.255.255.128

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1300

load-interval 30

speed 100

full-duplex

snmp ifindex persist

no cdp enable

no mop enabled

!

interface Serial0/0

description T1 to WorldCom

bandwidth 1544

no ip address

encapsulation frame-relay IETF

ip route-cache flow

load-interval 30

snmp ifindex persist

frame-relay lmi-type ansi

service-policy output QoS

!

interface Serial0/0.500 point-to-point

description T1 Primary Internet

bandwidth 1544

ip address aaa.aaa.aaa.234 255.255.255.252

ip access-group firewalled in

no ip redirects

no ip proxy-arp

ip nat outside

ip inspect firewalled out

ip virtual-reassembly

no arp frame-relay

frame-relay interface-dlci 500 IETF

!

interface FastEthernet0/1

description DSL Internet

ip address bbb.bbb.bbb.210 255.255.255.248

ip access-group dsl-firewalled in

no ip redirects

no ip proxy-arp

ip mtu 1450

ip nat outside

ip inspect firewalled out

ip virtual-reassembly

load-interval 30

speed 100

full-duplex

snmp ifindex persist

no cdp enable

crypto map aj-dsl

service-policy output QoS

!

ip route 0.0.0.0 0.0.0.0 aaa.aaa.aaa.233 track 1

ip route 0.0.0.0 0.0.0.0 bbb.bbb.bbb.209 200

ip route 172.21.160.0 255.255.240.0 172.21.160.130

!

!

no ip http server

no ip http secure-server

ip nat pool aj-pool aaa.aaa.aaa.160 aaa.aaa.aaa.161 prefix-length 28

ip nat inside source route-map f0/1-nat interface FastEthernet0/1 overload

ip nat inside source route-map s0/0.500-nat pool aj-pool overload

!

ip access-list extended inet-access

deny ip 172.21.164.224 0.0.0.31 any

permit ip 172.21.160.0 0.0.15.255 any

ip access-list extended private_addresses

deny ip any 10.0.0.0 0.255.255.255

deny ip any 172.16.0.0 0.15.255.255

deny ip any 192.168.0.0 0.0.255.255

permit ip any any

!

access-list 51 permit any

access-list 199 permit ip any host 172.20.51.38

access-list 199 permit ip host 172.20.51.38 any

!

route-map s0/0.500-nat permit 10

match ip address inet-access

match interface Serial0/0.500

!

route-map internet permit 10

match ip address private_addresses

set ip next-hop verify-availability bbb.bbb.bbb.209 10 track 2

!

route-map f0/1-nat permit 10

match ip address inet-access

match interface FastEthernet0/1

If you don't mind and to verify the problem is not relate to the object tracking config, can you please use the next-hop command within the route-map without the track option ?

If it works, then put the object tracking back and post the output from typing

show ip sla monitor configuration

and

show ip sla monitor statistics

Thanks

Hi Edison,

The track option is working fine and the traffic is going the predicted path. My problem is that once I apply the route-map the traffic no longer gets filtered via Websense...

We were able to reproduce the problem on a test router. We noticed that by turning off ip cef that the traffic was getting filtered again, and we could say it's a workaround for the issue. Is there an incompatibility with cef and route-maps??

Thanks

Carl

Carl

With IP CEF enabled, the packet is fast switched so it's not being inspected in completion by the route-maps.

HTH,

OK Thanks,

So what do you suggest? Can I disable ip cef for just that interface or for that route-map specifically?

IP Cef does help reduce the cpu load on my router, so I would prefer not having to disable it globally.

Thanks

Carl

Carl,

You can use the interface command

no ip route-cache cef

to disable cef on the intended interface.

Please let us know how it works out.

Thanks

Hi Edison,

The URL filtering does work when we turn off CEF, and it also works when we simply disable CEF on that interface only. So, yes, there is a workaround, but we really would like to run it with CEF... at this point I'm not sure if this is a bug or simply by design, as I was unable to find information on Cisco's Web site stating incompatibility between CEF, route-maps and inspect commands.

Thanks

Carl