Re: ISR CBAC prolem
- From: "Igor Mamuzic" <no@xxxxxxx>
- Date: Mon, 23 Jan 2006 20:47:18 +0100
thanks for helping me to troubleshoot this issue, I have some updates
regarding this case:
When I apply CBAC (input direction) onto inside interface without any ACL's
applied on any interfaces it still shows dropped packets anyway if you
activate 'ip inspect log drop-pkt'. Here is log output:
004681: Jan 23 10:52:32: %FW-6-DROP_PKT: Dropping tcp pkt
22.214.171.124:1404 => 126.96.36.199:80
004682: Jan 23 10:53:21: %FW-6-DROP_PKT: Dropping tcp pkt 188.8.131.52:80
004703: Jan 23 11:01:59: %FW-6-DROP_PKT: Dropping tcp pkt
184.108.40.206:35608 => 220.127.116.11:443
As you can see from the output above it seems that it drops both outbound
(18.104.22.168:1404 => 22.214.171.124:80) and inbound (126.96.36.199:80 =>
Here are answers on your questions:
1) Have you determined if packets are arriving out of order?
I have to check once again...I'll let you know what I found out... Now,
regarding UDP, I think I saw udp traffic being dropped such as dns
2) I'm running CEF and netflow on both outside and inside interfaces...
3) Packets that being dropped are mostly http/https traffic which should be
inspected with generic tcp inspection, but these apps represents the
majority of our internet traffic.
4) Yet another thing I forgot to mention in my previous post - traffic
drops occurs only at heavier traffic load conditions, that is during a
working day, but when traffic amount is low on evening or during weekends
CBAC performs ok...
"Cisco" <cody.rowland@xxxxxxxxx> wrote in message
> It's difficult to diagnose these kinds of issues without having more
> config information as well as a better description of exactly what
> you're seeing. It would be helpful to know the answers to these
> 1) Have you determined if packets are arriving out of order? CBAC
> doesn't react well when sequence numbers arrive significantly out of
> order. Just how out of order packets need to be to cause problems
> depends on your TCP and Inspect timeout configuration but I suspect
> that this might be a factor in your case because you specifically
> mention the same problem with UDP traffic. Since UDP is connectionless
> CBAC's only job when processing generic UDP traffic is to open a
> "window" to the destination and start monitoring the flow for activity.
> If no activity is detected within a certain time period, the window
> will be closed by CBAC. At that point, any return traffic is going to
> be dropped. If you see this type of thing a lot, you might want to
> increase the inspection timouts. The easiest way to quickly identify
> this type of problem is with a packet trace. Ethereals' built in TCP
> sequence analysis will spot these kinds of problems very quickly....
> 2) Are you running CEF/Flow switching?
> 3) Have you determined if it's a specific type of flow that's
> consistently causing the problem? (FTP, DNS, etc.) Or does it happen
> with all different types of flows regardless specific or generic
> This is only one of many possible reasons you're seeing traffic
> dropped. If you provide more information, I'd be glad to help you
> identify the problem and provide some solutions that have worked for me
> over the years.
> C. Rowland
- Prev by Date: Re: PIX Version 6.3(4) "interface" vs IP adress
- Next by Date: Re: Contracts that allow upgrade of IOS?
- Previous by thread: Re: ISR CBAC prolem
- Next by thread: Cisco VPN Client for Windows Mobile 5?