[c-nsp] In your opinions, is this an IOS bug or not?

Ted Mittelstaedt tedm at toybox.placo.com
Sat Mar 5 02:37:57 EST 2005 


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Luan Nguyen
> Sent: Friday, March 04, 2005 9:58 AM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] In your opinions, is this an IOS bug or not?
>
>
> According to Cisco this problem is the correct behavior of
> http inspection.
> Documented with bug ID CSCea18189.
> http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCea18189
> Release-note: high cpu with http inspect configured for cbac
>
> This is not a bug. This is the default behavior of HTTP
> Inspection. If HTTP
> inspection is enabled (ip inspect <name> http) the Java Applet
> inspection is
> enabled by default. In such a case packets are punted to
> process level by
> the HTTP Firewall feature. This consumes most of the CPU.
>
> In case you do not want Java Applet blocking for trusted sites
> you should
> use java access list to permit the applets. The packets from
> the trusted
> sites are fast switched for which CPU consumption is very low.
> The denied
> packets are sent to the process level.
>
> Sample configuration:
>
>
> !--- ACL used for Java
> ip inspect name firewall http java-list 3 audit-trail on
>
> !--- ACL used for Java
> access-list 3 permit 216.157.100.247
> !--- ACL used to block inbound traffic
> !--- except that permitted by inspects
>
> To disable java applets blocking from all sites use the  following:
> access-list 3 permit any
>
>
> For more details, See the following URL for configuration details:
>
> http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_
> configuration
> _example09186a00800949e3.shtml
>

All good info except that the http inspect statement in the
router was already setup to deny Java from everywhere save one
site.  And the testing was done after hours when only the IT
people and myself were using the dual T1s.  And we did not
surf to Java sites.

And, even when the http inspect statement was removed, the
router still only lasted about 7 hours before it stopped passing
packets.

> There is also this one:CSCed37905  IOS IDS causes HTTP
> performance to go to
> a crawl.  Fixed in  12.3(7.5), 12.3(7.6)T
>

There were no ip audit statements in the router at all.  IDS was not
enabled.

Ted

More information about the cisco-nsp mailing list