[c-nsp] In your opinions, is this an IOS bug or not?

Luan Nguyen luan.nguyen at mci.com
Fri Mar 4 12:57:49 EST 2005


According to Cisco this problem is the correct behavior of http inspection.
Documented with bug ID CSCea18189.
http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCea18189
Release-note: high cpu with http inspect configured for cbac

This is not a bug. This is the default behavior of HTTP Inspection. If HTTP
inspection is enabled (ip inspect <name> http) the Java Applet inspection is
enabled by default. In such a case packets are punted to process level by
the HTTP Firewall feature. This consumes most of the CPU.

In case you do not want Java Applet blocking for trusted sites you should
use java access list to permit the applets. The packets from the trusted
sites are fast switched for which CPU consumption is very low. The denied
packets are sent to the process level.

Sample configuration:


!--- ACL used for Java
ip inspect name firewall http java-list 3 audit-trail on

!--- ACL used for Java
access-list 3 permit 216.157.100.247
!--- ACL used to block inbound traffic
!--- except that permitted by inspects

To disable java applets blocking from all sites use the  following:
access-list 3 permit any


For more details, See the following URL for configuration details:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration
_example09186a00800949e3.shtml

There is also this one:CSCed37905  IOS IDS causes HTTP performance to go to
a crawl.  Fixed in  12.3(7.5), 12.3(7.6)T

Luan




----- Original Message ----- 
From: "Luan Nguyen" <luan.nguyen at mci.com>
To: "Ted Mittelstaedt" <tedm at toybox.placo.com>; <cisco-nsp at puck.nether.net>
Sent: Friday, March 04, 2005 8:32 AM
Subject: Re: [c-nsp] In your opinions, is this an IOS bug or not?


> There is a bug with http inspect in CBAC.  I could dig up the bug number
if
> you need to.  But just get rid of that line and let tcp does the inspect
and
> you should be fine :)
>
> Luan
>
> ----- Original Message ----- 
> From: "Ted Mittelstaedt" <tedm at toybox.placo.com>
> To: <cisco-nsp at puck.nether.net>
> Sent: Friday, March 04, 2005 3:51 AM
> Subject: [c-nsp] In your opinions, is this an IOS bug or not?
>
>
> > Hi All,
> >
> >   OK I have a situation here that looks like an IOS bug, let me
> > know your opinions, please.  If enough of you think it is, then I'll
> > go ahead and get it filed.
> >
> >   We have a customer that was running IOS Firewall Feature set on a
> > Cisco 3620 no problem.  The 3620 had a single point to point T1 coming
> > into it from us, a single Ethernet port that went to their inside
> > network.
> > The 3620 was running address translation.  There was a inspection access
> > list in the router, although not very extensive.  This config and
> > installation
> > was running fine for several years now and though several IOS revs.
> >
> >   The customer wanted to go to 2 T1s for higher througput and for some
> > redundancy.  So we set them up with a second point to point into a
second
> > serial interface into their router.  On our side both T1's from them
> > terminated into a 7206.  I personally setup both T1s, ran pattern
testing
> > with the telco, etc.  Same model DSUs in use on both ends of each T
span.
> >
> >   So I go and set up their 3620 with 12.2.27 IOS and ip cef, and our
7206
> > with the same version, except our side is IP only, their side is FW
> > feature set.
> > No dynamic routing going on, purely static routes on each side.
> >
> >   When I turn on the second T1 and start measuring throughput we find
the
> > throughput has now sunk into the toilet.  We are talking no more than a
> > T1's worth, going from a desktop on their end to a server on ours.
> > Internet
> > throughput is awful, they are lucky to get 128 kbps if that.  A lot of
> > web
> > sites aren't even coming up.
> >
> >   I try a few things over the next couple days, switched from
> > per-destination
> > to per-packet load balancing, etc.  Finally I notice the CPU utilization
> > on
> > their router is around 80-100%.  I am stymied, so I yard over
> > one of our spare 7206s.  Now we have 2 7206's on each end end of these 2
> > T1s.  And the same baloney is going on - although CPU utilization on
> > their
> > side is only around 25%.  Over the next day or so the 7206 on their end
> > reboots
> > itself a few times.
> >
> >   Eventually I say enough of this it must be ip cef.  So I turn it off
on
> > both
> > sides and setup multilink PPP.  And the SAME bullshit is going on -
> > Internet
> > throughput is awful, web sites aren't even coming up, etc.
> >
> >   Finally, I notice one thing - FTP transfers seem to be flying along.
> > HTTP
> > transfers aren't.  So, I pull the inspection statement covering http
from
> > their router.  voila - instantly they are now getting the 3MB.  This
> > lasts
> > for about 8 hours and then its crawling again.  So, I remove every scrap
> > and
> > trace of any IOS Firewall inspection statements and reboot the router
and
> > everything is now fine.  CPU utilization is down to 2% or so.  Life is
> > good.
> >
> >   So, is there a known problem with IOS Firewall Feature set, Address
> > Translation,
> > IP Tunnel, (there's a tunnel interface on this router) and load-balanced
> > T1s
> > in IOS?  Has anyone run into anything like this before?  Do you think
> > this is
> > a bug?
> >
> > Ted Mittelstaedt
> > Internet Partners, Inc.
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list