[c-nsp] In your opinions, is this an IOS bug or not?

Luan Nguyen luan.nguyen at mci.com
Sun Mar 6 22:07:33 EST 2005


Ted, sorry for not reading your post closely.  I didn't see the lasting only
about 8 hours part. I thought you hit the same problem as I did.  I had
problem with a 2691.
For me, removing the http statement works fine.  The first bug didn't seem
like a good explanation but I was okay with the second bug "The problem was
caused due to the fact that the first tcp segment of any http response was
getting punted to process path and hence the subsequent packets were getting
dropped in fast_path as they were considered out-of-order (since the first
pkt has not been processed in fast path)".  Tested the suggested IOS and the
http inspect statement works fine.  I probably will reopen my old TAC case
to ask for clarification on the IDS stuff, since we don't run IDS feature
either - just happen to use the FW/IDS plus image.

Luan

-----Original Message-----
From: Ted Mittelstaedt [mailto:tedm at toybox.placo.com] 
Sent: Saturday, March 05, 2005 2:24 AM
To: Luan Nguyen; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] In your opinions, is this an IOS bug or not?



> -----Original Message-----
> From: Luan Nguyen [mailto:luan.nguyen at mci.com]
> Sent: Friday, March 04, 2005 5:32 AM
> To: Ted Mittelstaedt; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] In your opinions, is this an IOS bug or not?
>
>
> There is a bug with http inspect in CBAC.  I could dig up the
> bug number if
> you need to.  But just get rid of that line and let tcp does
> the inspect and
> you should be fine :)
>

Luan, if you can't be bothered to read the post please don't waste time
replying to it.  Please reread the following:

" So, I pull the inspection statement covering http from
their router.  voila - instantly they are now getting the 3MB.  This
lasts
for about 8 hours and then its crawling again.  So, I remove every scrap
and
trace of any IOS Firewall inspection statements and reboot the router and
everything is now fine."

Was it somehow unclear that I already knew that getting rid of the line
and letting tcp do the inspect would fix the problem?

I appreciate the effort but when you don't pay attention to the post,
the old GIGO rule applies and I can't use anything you come up with.

Unfortunately, the following day after I wrote that post guess what -
the router died again.  And there were NO INSPECTION STATEMENTS
WHATSOEVER
in it.  I went ahead and put it to a non-IOS Firewall feature set, we
will see how long that lasts.

Ted



More information about the cisco-nsp mailing list