topic Zone based firewall slowing downloads in Network Security

Zone based firewall slowing downloads

mbluemel — Mon, 11 Mar 2019 22:25:19 GMT

I have a customer with an 877 series router with a zone-based firewall configuration. If they try to download anything the speed slows to a crawl and becomes almost unresponsive. I have tested with the zone pairs unapplied and it is fine. Can anyone point out what I need to remove/change from this config to improve things? Many thanks in advance.

Zone based firewall slowing downloads

Maykol Rojas — Tue, 07 Feb 2012 14:46:58 GMT

If they are http downloads, you can try to remove the http inspections on your policy.

class-map type inspect match-any ccp-cls-insp-traffic

no match protocol http

policy-map type inspect ccp-inspect

no class type inspect ccp-protocol-http

Then, if the issue persist, you can enable the logs of Zone based to see if packets are being dropped

router(config)# ip inspect log drop-pkt

Then enable the logs and see what appears there, if you get drops due to straight segment mostlikely they are Out of Order packets and you will need to double check the link with your ISP. Other logs may tell you that they are indeed out of order packets.

The reason why it works with the Zone based off, is because (if the root cause is out of order and not just the inspection causing delay) the Router dont care if the packets come out of Order, it is just in charge of routing them.

Let me know if you have questions.

Mike

Zone based firewall slowing downloads

mbluemel — Tue, 07 Feb 2012 15:58:20 GMT

Thanks for the reply. I am sure I have tried removing the inspection and it didnt help. I will try it again tomorrow just in case. I will let you know how I get on.

Zone based firewall slowing downloads

Maykol Rojas — Tue, 07 Feb 2012 16:17:45 GMT

Fair enough,

Keep me updated.

Mike

Zone based firewall slowing downloads

mbluemel — Thu, 09 Feb 2012 14:33:15 GMT

I tried taking the http inspection rules out and had the same problem.

debug messages :

000168: Feb 9 14:26:06.108 gmt: %FW-6-DROP_PKT: Dropping tcp session 195.74.103.133:33032 192.168.1.1:25 due to Out-Of-Order Segment with ip ident 0

000169: Feb 9 14:26:36.156 gmt: %FW-6-DROP_PKT: Dropping tcp session 173.194.41.130:80 192.168.1.11:53846 due to Out-Of-Order Segment with ip ident 0

000170: Feb 9 14:27:06.459 gmt: %FW-6-DROP_PKT: Dropping tcp session 195.74.103.133:33032 192.168.1.1:25 due to Out-Of-Order Segment with ip ident 0

000171: Feb 9 14:27:36.823 gmt: %FW-6-DROP_PKT: Dropping tcp session 173.194.41.131:80 192.168.1.11:53823 due to Out-Of-Order Segment with ip ident 0

000172: Feb 9 14:28:08.007 gmt: %FW-6-DROP_PKT: Dropping tcp session 173.194.41.130:80 192.168.1.11:53897 due to Out-Of-Order Segment with ip ident 0

000173: Feb 9 14:28:46.336 gmt: %FW-6-DROP_PKT: Dropping tcp session 61.206.117.4:56336 192.168.1.1:25 due to Retransmitted Segment with Invalid Flags with ip ident 0

Zone based firewall slowing downloads

Maykol Rojas — Thu, 09 Feb 2012 20:47:29 GMT

Just what I suspected. Would you be able to contact your Carrier and check their circuit?

Mike

Zone based firewall slowing downloads

mbluemel — Fri, 10 Feb 2012 08:25:42 GMT

Hi Mike. I found this thread and think it may be the answer to my problem. I am going to try and give it a try in the next few days. I am very busy at the moment and going on leave next week so cannot guarantee it will be done next week but I will let you know how it goes.

http://www.dslreports.com/forum/remark,24332834

Thanks for your assistance with this.

Zone based firewall slowing downloads

Maykol Rojas — Fri, 10 Feb 2012 22:46:48 GMT

If I am not mistaken, that parameter map for OoO packets is available on version 15 and higher, it may alleviate the issue, (never worked for me thou) but, if it does, then great. Let me know how it goes.

Mike.

Zone based firewall slowing downloads

mbluemel — Thu, 16 Feb 2012 14:51:10 GMT

Not an option to upgrade unfortunately. Not enough ram or flash on the router.

Looks like we will have to rebuild the router without the zone based firewall.

Oh well. Thanks for your input anyway.

Zone based firewall slowing downloads

nickbrooker — Thu, 28 Jun 2012 18:55:45 GMT

Hi, I had exactly the same experience on an SR520 (basically an 877 with a different case) so maybe the 877 is not up to ZBFW but having said that the CPU never really broke a sweat. Speedtest just showed up and downloaded running about 25% of what they did on the classic firewall.

This is our home router so we had a chance to play but I couldn't get the performace to match the classic so we're back on that. Might be a software version thing. I don't have smartnet so I can't test this.

Nick