[c-nsp] In your opinions, is this an IOS bug or not?

Luan Nguyen luan.nguyen at mci.com
Fri Mar 4 08:32:00 EST 2005 

There is a bug with http inspect in CBAC.  I could dig up the bug number if
you need to.  But just get rid of that line and let tcp does the inspect and
you should be fine :)

Luan

----- Original Message ----- 
From: "Ted Mittelstaedt" <tedm at toybox.placo.com>
To: <cisco-nsp at puck.nether.net>
Sent: Friday, March 04, 2005 3:51 AM
Subject: [c-nsp] In your opinions, is this an IOS bug or not?


> Hi All,
>
>   OK I have a situation here that looks like an IOS bug, let me
> know your opinions, please.  If enough of you think it is, then I'll
> go ahead and get it filed.
>
>   We have a customer that was running IOS Firewall Feature set on a
> Cisco 3620 no problem.  The 3620 had a single point to point T1 coming
> into it from us, a single Ethernet port that went to their inside
> network.
> The 3620 was running address translation.  There was a inspection access
> list in the router, although not very extensive.  This config and
> installation
> was running fine for several years now and though several IOS revs.
>
>   The customer wanted to go to 2 T1s for higher througput and for some
> redundancy.  So we set them up with a second point to point into a second
> serial interface into their router.  On our side both T1's from them
> terminated into a 7206.  I personally setup both T1s, ran pattern testing
> with the telco, etc.  Same model DSUs in use on both ends of each T span.
>
>   So I go and set up their 3620 with 12.2.27 IOS and ip cef, and our 7206
> with the same version, except our side is IP only, their side is FW
> feature set.
> No dynamic routing going on, purely static routes on each side.
>
>   When I turn on the second T1 and start measuring throughput we find the
> throughput has now sunk into the toilet.  We are talking no more than a
> T1's worth, going from a desktop on their end to a server on ours.
> Internet
> throughput is awful, they are lucky to get 128 kbps if that.  A lot of
> web
> sites aren't even coming up.
>
>   I try a few things over the next couple days, switched from
> per-destination
> to per-packet load balancing, etc.  Finally I notice the CPU utilization
> on
> their router is around 80-100%.  I am stymied, so I yard over
> one of our spare 7206s.  Now we have 2 7206's on each end end of these 2
> T1s.  And the same baloney is going on - although CPU utilization on
> their
> side is only around 25%.  Over the next day or so the 7206 on their end
> reboots
> itself a few times.
>
>   Eventually I say enough of this it must be ip cef.  So I turn it off on
> both
> sides and setup multilink PPP.  And the SAME bullshit is going on -
> Internet
> throughput is awful, web sites aren't even coming up, etc.
>
>   Finally, I notice one thing - FTP transfers seem to be flying along.
> HTTP
> transfers aren't.  So, I pull the inspection statement covering http from
> their router.  voila - instantly they are now getting the 3MB.  This
> lasts
> for about 8 hours and then its crawling again.  So, I remove every scrap
> and
> trace of any IOS Firewall inspection statements and reboot the router and
> everything is now fine.  CPU utilization is down to 2% or so.  Life is
> good.
>
>   So, is there a known problem with IOS Firewall Feature set, Address
> Translation,
> IP Tunnel, (there's a tunnel interface on this router) and load-balanced
> T1s
> in IOS?  Has anyone run into anything like this before?  Do you think
> this is
> a bug?
>
> Ted Mittelstaedt
> Internet Partners, Inc.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list