https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731330#M589544 <HTML><HEAD></HEAD><BODY><P>Rama,</P><P></P><P>I will take a closer look at what application is responsible for the traffic and advise.&nbsp; I will use your suggested command on comment on my findings.</P><P></P><P>At this point, my video streaming applications are no longer experiencing any jitter/slowness since the upgrade to IOS 15.&nbsp; So, I suspect that the remaining packets from my desktop computer that are being dropped by the INSPECT command are coming from another application on my computer.</P><P></P><P>I will investigate and advise.&nbsp; Thanks!</P><P></P><P>James</P></BODY></HTML> Mon, 20 Jun 2011 21:13:12 GMT jaesposito 2011-06-20T21:13:12Z https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731301#M589439 <P>All,</P><P></P><P>I suspect that I am experiencing performance issues related to my firewall zone configuration AND/OR the inspection being done on packets.&nbsp; With that in mind, I have two basic questions based on my attached configuration:</P><P></P><P>1.)&nbsp; In looking at my configuration, what purpose do these default firewall zones AND inspect commands have for this router, which I am using on a plain DSL connection in my home?</P><P>2.)&nbsp; Could any part of this configuration be responsible for slowing down some of my home devices such as my AppleTV for streaming Netflix, YouTube?</P><P></P><P>The router is a 881W and is running 12.4.24.T5.&nbsp; If you feel that any parts of this configuration are unnecessary and might be contributing to my performance issues, please feel free to chime in.</P><P></P><P>Thank you for the help!</P><P></P><P>James E</P> Mon, 11 Mar 2019 20:45:53 GMT https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731301#M589439 jaesposito 2019-03-11T20:45:53Z https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731302#M589458 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>May be out of order packets and the inspection is messing with them, your config looks fine. Would you please put the following command on the Routing: </P><P></P><P>Conf t </P><P>ip inspect log drop-pkt </P><P>do term mon </P><P></P><P>Try to access Youtube from the PC, TV, or whatever device has slow connection, gather the logs, and paste them over here. </P><P></P><P>Cheers </P><P></P><P>Mike </P></BODY></HTML> Thu, 16 Jun 2011 04:36:08 GMT https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731302#M589458 Maykol Rojas 2011-06-16T04:36:08Z https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731303#M589470 <HTML><HEAD></HEAD><BODY><P>Ok.&nbsp; I added that config parameters.&nbsp; Here is the log output when I attempt to use Netflix on the AppleTV (IP 192.168.1.102):</P><P></P><P>000040: *Jun 16 18:07:54.567 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51763&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000041: *Jun 16 18:08:24.871 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51763&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000042: *Jun 16 18:08:55.115 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51764&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000043: *Jun 16 18:09:25.759 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51766&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000044: *Jun 16 18:09:55.911 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51768&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000045: *Jun 16 18:10:26.355 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51770&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000046: *Jun 16 18:10:56.367 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51770&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000047: *Jun 16 18:11:26.839 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51773&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000048: *Jun 16 18:11:57.447 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51774&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000049: *Jun 16 18:12:27.691 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51776&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000050: *Jun 16 18:12:27.691 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51776&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000051: *Jun 16 18:12:57.931 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.26.210.253:80 192.168.1.102:51777&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000040: *Jun 16 18:07:54.567 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51763&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000041: *Jun 16 18:08:24.871 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51763&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000042: *Jun 16 18:08:55.115 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51764&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000043: *Jun 16 18:09:25.759 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51766&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000044: *Jun 16 18:09:55.911 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51768&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000045: *Jun 16 18:10:26.355 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51770&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000046: *Jun 16 18:10:56.367 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51770&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000047: *Jun 16 18:11:26.839 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51773&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000048: *Jun 16 18:11:57.447 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51774&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000049: *Jun 16 18:12:27.691 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51776&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000050: *Jun 16 18:12:27.691 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51776&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000051: *Jun 16 18:12:57.931 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.26.210.253:80 192.168.1.102:51777&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000052: *Jun 16 18:13:27.975 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.26.210.253:80 192.168.1.102:51779&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P></P><P></P><P>Here is the log output when I try to visit YouTube from the AppleTV (IP 192.168.1.102):</P><P></P><P>000054: *Jun 16 18:13:58.435 PCTime: %FW-6-DROP_PKT: Dropping udp session 69.22.151.206:3478 192.168.1.112:55741&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000055: *Jun 16 18:14:28.559 PCTime: %FW-6-DROP_PKT: Dropping tcp session 74.125.45.118:80 192.168.1.102:51794&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000056: *Jun 16 18:14:28.559 PCTime: %FW-6-DROP_PKT: Dropping tcp session 74.125.45.118:80 192.168.1.102:51794&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000057: *Jun 16 18:15:36.979 PCTime: %FW-6-DROP_PKT: Dropping udp session 69.22.151.206:3478 192.168.1.112:55741&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000058: *Jun 16 18:16:38.591 PCTime: %FW-6-DROP_PKT: Dropping tcp session 173.194.29.13:80 192.168.1.102:51800&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0<BR />000059: *Jun 16 18:16:38.591 PCTime: %FW-6-DROP_PKT: Dropping tcp session 173.194.29.13:80 192.168.1.102:51800&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0<BR />000060: *Jun 16 18:17:08.639 PCTime: %FW-6-DROP_PKT: Dropping tcp session 173.194.29.13:80 192.168.1.102:51800&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0<BR />000061: *Jun 16 18:17:38.903 PCTime: %FW-6-DROP_PKT: Dropping tcp session 74.125.45.118:80 192.168.1.102:51804&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P></P><P>Also, I happened to notice that trying to access YouTube from my desktop computer (192.168.1.112) is also an issue: </P><P></P><P>000064: *Jun 16 18:18:52.043 PCTime: %FW-6-DROP_PKT: Dropping tcp session 74.125.157.101:80 192.168.1.112:49766&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000065: *Jun 16 18:19:32.343 PCTime: %FW-6-DROP_PKT: Dropping tcp session 74.125.157.101:80 192.168.1.112:49765&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000067: *Jun 16 18:20:04.939 PCTime: %FW-6-DROP_PKT: Dropping tcp session 173.194.29.22:80 192.168.1.112:49797&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000068: *Jun 16 18:20:37.955 PCTime: %FW-6-DROP_PKT: Dropping tcp session 208.117.249.22:80 192.168.1.112:49816&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P></P><P>...and Netflix from my desktop computer (182.168.1.112) is also an issue:</P><P></P><P>000070: *Jun 16 18:21:11.771 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.18.43.163:80 192.168.1.112:49827&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000071: *Jun 16 18:21:55.215 PCTime: %FW-6-DROP_PKT: Dropping tcp session 184.73.247.254:80 192.168.1.112:49823&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000071: *Jun 16 18:21:55.215 PCTime: %FW-6-DROP_PKT: Dropping tcp session 184.73.247.254:80 192.168.1.112:49823&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000074: *Jun 16 18:22:31.655 PCTime: %FW-6-DROP_PKT: Dropping tcp session 184.73.247.254:80 192.168.1.112:49823&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000075: *Jun 16 18:23:49.935 PCTime: %FW-6-DROP_PKT: Dropping udp session 69.22.151.206:3478 192.168.1.112:55741&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000077: *Jun 16 18:24:39.219 PCTime: %FW-6-DROP_PKT: Dropping udp session 69.22.151.206:3478 192.168.1.112:55741&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000079: *Jun 16 18:25:28.479 PCTime: %FW-6-DROP_PKT: Dropping udp session 69.22.151.206:3478 192.168.1.112:55741&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P></P><P>It looks like the consistent issue is the dropping of "Out-Of-Order Segment."&nbsp; I havent the faintest idea what that means.</P><P></P><P>Any ideas on how we can tackle this?&nbsp; Thank you so much!</P><P></P><P>James E</P></BODY></HTML> Thu, 16 Jun 2011 23:24:41 GMT https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731303#M589470 jaesposito 2011-06-16T23:24:41Z https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731304#M589483 <HTML><HEAD></HEAD><BODY><P>Thats what I thought. </P><P></P><P>In out of order packets issues, Main thing would be to contact the service provider and tell them that you are reciving out of order packets, if there is no positive answer from your ISP, you can try something that is on the router called out of order buffer, here is the document </P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1122609">http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1122609</A></P><P></P><P>If the performance is not improve or the version of your router does not support the parameter map type ooo, best thing would be contacting the ISP in order to check why you are getting out of order packets. </P><P></P><P>I know what you are thinking, you may say, "Why would I contact the ISP? If no firewall is in place, everything workes!", the answer is that Unfortunately, ZBF is very sensitive to out of order packets many out of sequence packets can be a real headache to firewalls, IPS etc, because this can cause evasion attacks, where the security device cannot see the entire packet to analyze the payload and determine wether is normal or malicious. </P><P></P><P>That being said, is better to drop them if they are suspicious, than just let them pass and that they cause a bigger issue inside the network . </P><P></P><P>Hope this explanation serves you well. </P><P></P><P>Mike </P></BODY></HTML> Fri, 17 Jun 2011 00:10:31 GMT https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731304#M589483 Maykol Rojas 2011-06-17T00:10:31Z https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731305#M589489 <HTML><HEAD></HEAD><BODY><P>So here's whats interesting.&nbsp; If I downgrade the IOS to124-20.T3 and run the same configuration, then I do not run into this problem.&nbsp; Strange eh?</P><P></P><P>Assuming that the above doesnt bring anything new to the conversation, could I change my configuration to ignore out of order packets?&nbsp; If so, could you give me the config line commands to do so?</P><P></P><P>Thank you very much for the help!</P><P></P><P>James</P><P></P><P>p.s. - On a related note, when I'm running the older IOS 12.4.20.T3, here is what I'm seeing the inspect function do now with web traffic from my desktop computer due to "match failure with ip ident 0" (any idea what that is?):</P><P></P><P>000220: *Jun 16 20:40:54.495 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000221: *Jun 16 20:41:43.863 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000222: *Jun 16 20:42:33.235 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000223: *Jun 16 20:43:22.607 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000224: *Jun 16 20:44:11.979 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000225: *Jun 16 20:45:01.367 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000226: *Jun 16 20:45:50.767 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000227: *Jun 16 20:46:40.155 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000228: *Jun 16 20:47:29.527 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000229: *Jun 16 20:48:18.899 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000230: *Jun 16 20:49:08.271 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000231: *Jun 16 20:49:57.659 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000232: *Jun 16 20:50:47.031 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000233: *Jun 16 20:51:36.399 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000234: *Jun 16 20:52:25.771 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000235: *Jun 16 20:53:15.147 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000236: *Jun 16 20:54:04.515 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000237: *Jun 16 20:54:53.835 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000238: *Jun 16 20:55:43.223 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000239: *Jun 16 20:56:32.595 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000240: *Jun 16 20:57:22.103 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000243: *Jun 16 20:59:00.743 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000244: *Jun 16 20:59:37.927 PCTime: %FW-6-DROP_PKT: Dropping tcp session 216.115.98.241:80 192.168.1.112:49985&nbsp; due to&nbsp; Stray Segment with ip ident 0</P><P>000245: *Jun 16 21:00:15.351 PCTime: %FW-6-DROP_PKT: Dropping tcp session 67.195.160.134:80 192.168.1.112:50045&nbsp; due to&nbsp; SYN inside current window with ip ident 0</P><P>000246: *Jun 16 21:00:51.327 PCTime: %FW-6-DROP_PKT: Dropping tcp session 98.139.51.132:80 192.168.1.112:50067&nbsp; due to&nbsp; SYN inside current window with ip ident 0</P><P>000253: *Jun 16 21:03:16.347 PCTime: %FW-6-DROP_PKT: Dropping tcp session 64.214.227.51:80 192.168.1.112:50440&nbsp; due to&nbsp; SYN inside current window with ip ident 0</P><P>000254: *Jun 16 21:03:56.519 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000255: *Jun 16 21:04:45.855 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000256: *Jun 16 21:05:35.191 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000257: *Jun 16 21:06:24.531 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P></P><P>James</P></BODY></HTML> Fri, 17 Jun 2011 02:14:22 GMT https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731305#M589489 jaesposito 2011-06-17T02:14:22Z https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731306#M589495 <HTML><HEAD></HEAD><BODY><P>Hi james</P><P></P><P>Weird you say? Thats my breakfast everyday <SPAN __jive_emoticon_name="grin" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/grin.gif"></SPAN> . Yes, you will be able to do it so, is there a possibility that you can run version 15?&nbsp; In order to apply the policy map for OOO packets? </P><P></P><P>Mike </P></BODY></HTML> Fri, 17 Jun 2011 02:20:00 GMT https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731306#M589495 Maykol Rojas 2011-06-17T02:20:00Z https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731307#M589500 <HTML><HEAD></HEAD><BODY><P>Well, I can download and load 15.1.3.T1.&nbsp; Before I do so, how dramatically different is the 15.X code than the 12.4.X version?&nbsp; Ive never run 15.X before and am concerned about how much there might be to learn.</P><P></P><P>If there is little change, then once I've loaded the 15.1.3.T1 code, what configuration changes would I need to make?</P><P></P><P>James E</P></BODY></HTML> Fri, 17 Jun 2011 02:30:09 GMT https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731307#M589500 jaesposito 2011-06-17T02:30:09Z https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731308#M589503 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Not really sure, lets try first this </P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_ooop.html">http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_ooop.html</A></P><P></P><DIV><PRE>Router(config)# ip inspect tcp reassembly queue length 45 </PRE></DIV><P> <A name="wp1055863"></A></P><DIV><PRE>Router(config)# ip inspect tcp reassembly memory limit 200 </PRE></DIV><P></P><P></P><P>Another thing, try to remove the http inspection, If none of this work, we will try to move to version 15. </P><P></P><P>Mike </P><P></P><P></P><P></P><P></P><P></P><P></P><P></P><P></P><P></P><P></P><P></P></BODY></HTML> Fri, 17 Jun 2011 02:51:01 GMT https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731308#M589503 Maykol Rojas 2011-06-17T02:51:01Z https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731309#M589506 <HTML><HEAD></HEAD><BODY><P>Ok.&nbsp; I will. </P><P></P><P>To remove the http inspection, do I do the following:</P><P></P><P>Router(config)# class-map type inspect match-all ccp-protocol-http</P><P>Router(config)# no match protocol http</P><P>Router(config)#</P><P></P><P>or this...</P><P></P><P>Router(config)# policy-map type inspect ccp-inspect</P><P>Router(config)# class type inspect ccp-protocol-http</P><P>Router(config)# no inspect</P><P>Router(config)#</P><P></P><P>Thanks!</P><P></P><P>James</P></BODY></HTML> Fri, 17 Jun 2011 02:56:50 GMT https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731309#M589506 jaesposito 2011-06-17T02:56:50Z https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731310#M589512 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>Close, </P><P></P><P>policy-map type inspect ccp-inspect</P><P> no class type inspect ccp-protocol-http</P><P></P><P>It should fall into the next class which has all tcp and udp, so it will still be inspected, but at layer 3/4 and not at 7. </P><P></P><P>Let me know how it goes. </P><P></P><P>Mike </P></BODY></HTML> Fri, 17 Jun 2011 03:04:40 GMT https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731310#M589512 Maykol Rojas 2011-06-17T03:04:40Z https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731311#M589514 <HTML><HEAD></HEAD><BODY><P>OK.&nbsp; I tried the first two configuration lines and am still having the same problem.&nbsp; Here is what is being dropped now by the inspect command:</P><P></P><P>000133: *Jun 16 22:09:48.879 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.26.210.253:80 192.168.1.102:51984&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000134: *Jun 16 22:10:18.927 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.26.210.253:80 192.168.1.102:51986&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000162: *Jun 16 22:11:50.255 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.26.210.253:80 192.168.1.102:51991&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000163: *Jun 16 22:12:20.547 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.26.210.253:80 192.168.1.102:51991&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P></P><P>000173: *Jun 16 22:12:50.919 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.26.210.253:80 192.168.1.102:51993&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000174: *Jun 16 22:13:21.135 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.26.210.253:80 192.168.1.102:51996&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P></P><P>Should I try removing the inspect HTTP next?</P><P></P><P>James E</P></BODY></HTML> Fri, 17 Jun 2011 03:12:49 GMT https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731311#M589514 jaesposito 2011-06-17T03:12:49Z https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731312#M589518 <HTML><HEAD></HEAD><BODY><P>Be my guest. </P><P></P><P>Mike </P></BODY></HTML> Fri, 17 Jun 2011 03:16:59 GMT https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731312#M589518 Maykol Rojas 2011-06-17T03:16:59Z https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731313#M589521 <HTML><HEAD></HEAD><BODY><P>I removed the HTTP inspect and still get the <STRONG>same problem</STRONG>.&nbsp; I left the other drops from the Internet in the copy/paste in case it triggered any thoughts.&nbsp; Any other observations before we move to 15.1?</P><P></P><P>James E</P><P></P><P>-------------------------------</P><P></P><P><STRONG>000226: *Jun 16 22:16:23.403 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.26.210.253:80 192.168.1.102:52005&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</STRONG></P><P>000227: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 98.219.172.185:62566 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000228: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 83.227.180.98:30917 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000229: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 2 packets were dropped from 173.170.153.175:55164 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000230: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 68.5.31.184:22200 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000231: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 94.202.51.71:58163 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000232: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 98.196.111.92:27534 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000233: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 75.135.148.92:11835 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000234: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 74.14.62.45:40739 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000235: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 76.204.46.146:60002 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000236: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 98.162.165.127:58997 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000237: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 76.23.172.16:36900 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000238: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 72.88.82.107:63796 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000239: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 121.217.136.94:20647 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000240: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 188.182.109.42:18200 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000241: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 112.203.95.53:41589 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000242: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 98.250.170.156:62956 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P><STRONG>000243: *Jun 16 22:16:53.431 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.26.210.253:80 192.168.1.102:52005&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</STRONG></P><P><STRONG>000244: *Jun 16 22:17:23.511 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.26.210.253:80 192.168.1.102:52007&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</STRONG></P><P>000245: *Jun 16 22:17:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 178.76.175.39:28195 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000246: *Jun 16 22:17:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 75.140.98.49:44400 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000247: *Jun 16 22:17:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 75.48.251.162:46586 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000248: *Jun 16 22:17:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 71.224.104.61:43788 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000249: *Jun 16 22:17:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 74.70.91.2:62820 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000250: *Jun 16 22:17:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 75.144.184.1:40969 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000251: *Jun 16 22:17:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 24.78.228.141:25018 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000252: *Jun 16 22:17:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 216.118.146.204:44637 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000253: *Jun 16 22:17:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 65.27.254.51:31593 =&gt; 74.233.55.201:60541 (target:class)-(ccp-zp-out-self:class-default)</P><P>000254: *Jun 16 22:17:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 24.61.175.2:49201 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000255: *Jun 16 22:17:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 69.206.171.175:33489 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000256: *Jun 16 22:17:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 98.246.9.100:62274 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000257: *Jun 16 22:17:53.671 PCTime: %FW-6-DROP_PKT: Dropping udp session 216.183.204.177:27197 74.233.55.201:52794 on zone-pair ccp-zp-out-self class class-default due to&nbsp; DROP action found in policy-map with ip ident 0</P><P></P><P>000258: *Jun 16 22:18:24.235 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.26.210.253:80 192.168.1.102:52011&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</P><P>000259: *Jun 16 22:18:40.251 PCTime: %FW-6-LOG_SUMMARY: 2 packets were dropped from 206.75.2.7:32963 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000260: *Jun 16 22:18:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 216.183.204.177:27197 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000261: *Jun 16 22:18:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 98.66.246.59:50219 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000262: *Jun 16 22:18:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 75.80.218.96:18972 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000263: *Jun 16 22:18:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 86.184.99.203:54838 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000264: *Jun 16 22:18:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 107.4.10.85:49237 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000265: *Jun 16 22:18:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 216.121.222.139:11641 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000266: *Jun 16 22:18:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 65.9.216.145:19877 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000267: *Jun 16 22:18:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 204.112.16.105:60675 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P>000268: *Jun 16 22:18:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 67.172.28.245:28091 =&gt; 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)</P><P><STRONG>000269: *Jun 16 22:18:54.375 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.26.210.253:80 192.168.1.102:52012&nbsp; due to&nbsp; Out-Of-Order Segment with ip ident 0</STRONG></P></BODY></HTML> Fri, 17 Jun 2011 03:18:52 GMT https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731313#M589521 jaesposito 2011-06-17T03:18:52Z https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731314#M589522 <HTML><HEAD></HEAD><BODY><P>One more, </P><P></P><P>Cand you paste the show interface command? Note that the IP addresses will appear there, so feel free to remove them, I want to see if there are any errors on them. </P><P></P><P>Mike </P></BODY></HTML> Fri, 17 Jun 2011 03:22:36 GMT https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731314#M589522 Maykol Rojas 2011-06-17T03:22:36Z https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731315#M589523 <HTML><HEAD></HEAD><BODY><P>Sure.&nbsp; Here you go:</P><P></P><P>Router#sh interface</P><P>Dialer0 is up, line protocol is up (spoofing)</P><P>&nbsp; Hardware is Unknown</P><P>&nbsp; Description: $FW_OUTSIDE$</P><P>&nbsp; Internet address is xx.xx.xx.xx/32</P><P>&nbsp; MTU 1500 bytes, BW 56 Kbit/sec, DLY 20000 usec,</P><P>&nbsp;&nbsp;&nbsp;&nbsp; reliability 255/255, txload 4/255, rxload 61/255</P><P>&nbsp; Encapsulation PPP, loopback not set</P><P>&nbsp; Keepalive set (10 sec)</P><P>&nbsp; DTR is pulsed for 1 seconds on reset</P><P>&nbsp; Interface is bound to Vi1</P><P>&nbsp; Last input never, output never, output hang never</P><P>&nbsp; Last clearing of "show interface" counters 00:03:02</P><P>&nbsp; Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0</P><P>&nbsp; Queueing strategy: weighted fair</P><P>&nbsp; Output queue: 0/1000/64/0 (size/max total/threshold/drops)</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Conversations&nbsp; 0/0/16 (active/max active/max total)</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Reserved Conversations 0/0 (allocated/max allocated)</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Available Bandwidth 42 kilobits/sec</P><P>&nbsp; 5 minute input rate 382000 bits/sec, 39 packets/sec</P><P>&nbsp; 5 minute output rate 3000 bits/sec, 7 packets/sec</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 13530 packets input, 18718598 bytes</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 4792 packets output, 340730 bytes</P><P>Bound to:</P><P>Virtual-Access1 is up, line protocol is up</P><P>&nbsp; Hardware is Virtual Access interface</P><P>&nbsp; MTU 1500 bytes, BW 56 Kbit/sec, DLY 20000 usec,</P><P>&nbsp;&nbsp;&nbsp;&nbsp; reliability 255/255, txload 81/255, rxload 67/255</P><P>&nbsp; Encapsulation PPP, LCP Open</P><P>&nbsp; Open: IPCP</P><P>&nbsp; PPPoE vaccess, cloned from Dialer0</P><P>&nbsp; Vaccess status 0x44, loopback not set</P><P>&nbsp; Keepalive set (10 sec)</P><P>&nbsp; DTR is pulsed for 5 seconds on reset</P><P>&nbsp; Interface is bound to Di0 (Encapsulation PPP)</P><P>&nbsp; Last input 00:00:00, output never, output hang never</P><P>&nbsp; Last clearing of "show interface" counters 00:02:39</P><P>&nbsp; Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0</P><P>&nbsp; Queueing strategy: fifo</P><P>&nbsp; Output queue: 0/40 (size/max)</P><P>&nbsp; 5 minute input rate 401000 bits/sec, 41 packets/sec</P><P>&nbsp; 5 minute output rate 18000 bits/sec, 18 packets/sec</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 12281 packets input, 16894257 bytes, 0 no buffer</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Received 0 broadcasts, 0 runts, 0 giants, 0 throttles</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 4807 packets output, 341144 bytes, 0 underruns</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 output errors, 0 collisions, 0 interface resets</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 unknown protocol drops</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 output buffer failures, 0 output buffers swapped out</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 carrier transitions</P><P>FastEthernet0 is up, line protocol is down</P><P>&nbsp; Hardware is Fast Ethernet, address is 0026.0ba6.e9f4 (bia 0026.0ba6.e9f4)</P><P>&nbsp; MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,</P><P>&nbsp;&nbsp;&nbsp;&nbsp; reliability 255/255, txload 1/255, rxload 1/255</P><P>&nbsp; Encapsulation ARPA, loopback not set</P><P>&nbsp; Keepalive set (10 sec)</P><P>&nbsp; Auto-duplex, Auto-speed</P><P>&nbsp; ARP type: ARPA, ARP Timeout 04:00:00</P><P>&nbsp; Last input never, output never, output hang never</P><P>&nbsp; Last clearing of "show interface" counters never</P><P>&nbsp; Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0</P><P>&nbsp; Queueing strategy: fifo</P><P>&nbsp; Output queue: 0/40 (size/max)</P><P>&nbsp; 5 minute input rate 0 bits/sec, 0 packets/sec</P><P>&nbsp; 5 minute output rate 0 bits/sec, 0 packets/sec</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 packets input, 0 bytes, 0 no buffer</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Received 0 broadcasts, 0 runts, 0 giants, 0 throttles</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 input packets with dribble condition detected</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 packets output, 0 bytes, 0 underruns</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 output errors, 0 collisions, 2 interface resets</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 unknown protocol drops</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 babbles, 0 late collision, 0 deferred</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 lost carrier, 0 no carrier</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 output buffer failures, 0 output buffers swapped out</P><P>FastEthernet1 is up, line protocol is down</P><P>&nbsp; Hardware is Fast Ethernet, address is 0026.0ba6.e9f5 (bia 0026.0ba6.e9f5)</P><P>&nbsp; MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,</P><P>&nbsp;&nbsp;&nbsp;&nbsp; reliability 255/255, txload 1/255, rxload 1/255</P><P>&nbsp; Encapsulation ARPA, loopback not set</P><P>&nbsp; Keepalive set (10 sec)</P><P>&nbsp; Auto-duplex, Auto-speed</P><P>&nbsp; ARP type: ARPA, ARP Timeout 04:00:00</P><P>&nbsp; Last input never, output never, output hang never</P><P>&nbsp; Last clearing of "show interface" counters never</P><P>&nbsp; Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0</P><P>&nbsp; Queueing strategy: fifo</P><P>&nbsp; Output queue: 0/40 (size/max)</P><P>&nbsp; 5 minute input rate 0 bits/sec, 0 packets/sec</P><P>&nbsp; 5 minute output rate 0 bits/sec, 0 packets/sec</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 packets input, 0 bytes, 0 no buffer</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Received 0 broadcasts, 0 runts, 0 giants, 0 throttles</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 input packets with dribble condition detected</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 packets output, 0 bytes, 0 underruns</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 output errors, 0 collisions, 2 interface resets</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 unknown protocol drops</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 babbles, 0 late collision, 0 deferred</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 lost carrier, 0 no carrier</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 output buffer failures, 0 output buffers swapped out</P><P>FastEthernet2 is up, line protocol is down</P><P>&nbsp; Hardware is Fast Ethernet, address is 0026.0ba6.e9f6 (bia 0026.0ba6.e9f6)</P><P>&nbsp; MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,</P><P>&nbsp;&nbsp;&nbsp;&nbsp; reliability 255/255, txload 1/255, rxload 1/255</P><P>&nbsp; Encapsulation ARPA, loopback not set</P><P>&nbsp; Keepalive set (10 sec)</P><P>&nbsp; Auto-duplex, Auto-speed</P><P>&nbsp; ARP type: ARPA, ARP Timeout 04:00:00</P><P>&nbsp; Last input never, output never, output hang never</P><P>&nbsp; Last clearing of "show interface" counters never</P><P>&nbsp; Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0</P><P>&nbsp; Queueing strategy: fifo</P><P>&nbsp; Output queue: 0/40 (size/max)</P><P>&nbsp; 5 minute input rate 0 bits/sec, 0 packets/sec</P><P>&nbsp; 5 minute output rate 0 bits/sec, 0 packets/sec</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 packets input, 0 bytes, 0 no buffer</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Received 0 broadcasts, 0 runts, 0 giants, 0 throttles</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 input packets with dribble condition detected</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 packets output, 0 bytes, 0 underruns</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 output errors, 0 collisions, 2 interface resets</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 unknown protocol drops</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 babbles, 0 late collision, 0 deferred</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 lost carrier, 0 no carrier</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 output buffer failures, 0 output buffers swapped out</P><P>FastEthernet3 is up, line protocol is down</P><P>&nbsp; Hardware is Fast Ethernet, address is 0026.0ba6.e9f7 (bia 0026.0ba6.e9f7)</P><P>&nbsp; MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,</P><P>&nbsp;&nbsp;&nbsp;&nbsp; reliability 255/255, txload 1/255, rxload 1/255</P><P>&nbsp; Encapsulation ARPA, loopback not set</P><P>&nbsp; Keepalive set (10 sec)</P><P>&nbsp; Auto-duplex, Auto-speed</P><P>&nbsp; ARP type: ARPA, ARP Timeout 04:00:00</P><P>&nbsp; Last input never, output never, output hang never</P><P>&nbsp; Last clearing of "show interface" counters never</P><P>&nbsp; Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0</P><P>&nbsp; Queueing strategy: fifo</P><P>&nbsp; Output queue: 0/40 (size/max)</P><P>&nbsp; 5 minute input rate 0 bits/sec, 0 packets/sec</P><P>&nbsp; 5 minute output rate 0 bits/sec, 0 packets/sec</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 packets input, 0 bytes, 0 no buffer</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Received 0 broadcasts, 0 runts, 0 giants, 0 throttles</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 input packets with dribble condition detected</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 packets output, 0 bytes, 0 underruns</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 output errors, 0 collisions, 2 interface resets</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 unknown protocol drops</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 babbles, 0 late collision, 0 deferred</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 lost carrier, 0 no carrier</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 output buffer failures, 0 output buffers swapped out</P><P>FastEthernet4 is up, line protocol is up</P><P>&nbsp; Hardware is PQII_PRO_UEC, address is 0026.0ba6.e9f8 (bia 0026.0ba6.e9f8)</P><P>&nbsp; Description: $ES_WAN$$FW_OUTSIDE$</P><P>&nbsp; MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,</P><P>&nbsp;&nbsp;&nbsp;&nbsp; reliability 255/255, txload 1/255, rxload 1/255</P><P>&nbsp; Encapsulation ARPA, loopback not set</P><P>&nbsp; Keepalive set (10 sec)</P><P>&nbsp; Full-duplex, 100Mb/s, 100BaseTX/FX</P><P>&nbsp; ARP type: ARPA, ARP Timeout 04:00:00</P><P>&nbsp; Last input 00:02:40, output 00:00:00, output hang never</P><P>&nbsp; Last clearing of "show interface" counters never</P><P>&nbsp; Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0</P><P>&nbsp; Queueing strategy: fifo</P><P>&nbsp; Output queue: 0/40 (size/max)</P><P>&nbsp; 5 minute input rate 408000 bits/sec, 41 packets/sec</P><P>&nbsp; 5 minute output rate 18000 bits/sec, 18 packets/sec</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 12354 packets input, 17233288 bytes</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Received 0 broadcasts, 0 runts, 0 giants, 0 throttles</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 watchdog</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 input packets with dribble condition detected</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 4849 packets output, 440539 bytes, 0 underruns</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 output errors, 0 collisions, 2 interface resets</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 2 unknown protocol drops</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 babbles, 0 late collision, 0 deferred</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 lost carrier, 0 no carrier</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 output buffer failures, 0 output buffers swapped out</P><P>NVI0 is up, line protocol is up</P><P>&nbsp; Hardware is NVI</P><P>&nbsp; Interface is unnumbered. Using address of wlan-ap0 (0.0.0.0)</P><P>&nbsp; MTU 1514 bytes, BW 56 Kbit/sec, DLY 5000 usec,</P><P>&nbsp;&nbsp;&nbsp;&nbsp; reliability 255/255, txload 1/255, rxload 1/255</P><P>&nbsp; Encapsulation UNKNOWN, loopback not set</P><P>&nbsp; Last input never, output never, output hang never</P><P>&nbsp; Last clearing of "show interface" counters never</P><P>&nbsp; Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0</P><P>&nbsp; 5 minute input rate 0 bits/sec, 0 packets/sec</P><P>&nbsp; 5 minute output rate 0 bits/sec, 0 packets/sec</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 packets input, 0 bytes, 0 no buffer</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Received 0 broadcasts, 0 runts, 0 giants, 0 throttles</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 packets output, 0 bytes, 0 underruns</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 output errors, 0 collisions, 0 interface resets</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 unknown protocol drops</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 output buffer failures, 0 output buffers swapped out</P><P>Virtual-Access1 is up, line protocol is up</P><P>&nbsp; Hardware is Virtual Access interface</P><P>&nbsp; MTU 1500 bytes, BW 56 Kbit/sec, DLY 20000 usec,</P><P>&nbsp;&nbsp;&nbsp;&nbsp; reliability 255/255, txload 81/255, rxload 67/255</P><P>&nbsp; Encapsulation PPP, LCP Open</P><P>&nbsp; Open: IPCP</P><P>&nbsp; PPPoE vaccess, cloned from Dialer0</P><P>&nbsp; Vaccess status 0x44, loopback not set</P><P>&nbsp; Keepalive set (10 sec)</P><P>&nbsp; DTR is pulsed for 5 seconds on reset</P><P>&nbsp; Interface is bound to Di0 (Encapsulation PPP)</P><P>&nbsp; Last input 00:00:00, output never, output hang never</P><P>&nbsp; Last clearing of "show interface" counters 00:02:40</P><P>&nbsp; Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0</P><P>&nbsp; Queueing strategy: fifo</P><P>&nbsp; Output queue: 0/40 (size/max)</P><P>&nbsp; 5 minute input rate 401000 bits/sec, 41 packets/sec</P><P>&nbsp; 5 minute output rate 18000 bits/sec, 18 packets/sec</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 12409 packets input, 17070420 bytes, 0 no buffer</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Received 0 broadcasts, 0 runts, 0 giants, 0 throttles</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 4856 packets output, 344852 bytes, 0 underruns</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 output errors, 0 collisions, 0 interface resets</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 unknown protocol drops</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 output buffer failures, 0 output buffers swapped out</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 carrier transitions</P><P>Vlan1 is up, line protocol is up</P><P>&nbsp; Hardware is EtherSVI, address is 0026.0ba6.e9f4 (bia 0026.0ba6.e9f4)</P><P>&nbsp; Description: $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$</P><P>&nbsp; Internet address is 192.168.1.1/24</P><P>&nbsp; MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,</P><P>&nbsp;&nbsp;&nbsp;&nbsp; reliability 255/255, txload 1/255, rxload 1/255</P><P>&nbsp; Encapsulation ARPA, loopback not set</P><P>&nbsp; ARP type: ARPA, ARP Timeout 04:00:00</P><P>&nbsp; Last input 00:00:00, output never, output hang never</P><P>&nbsp; Last clearing of "show interface" counters never</P><P>&nbsp; Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0</P><P>&nbsp; Queueing strategy: fifo</P><P>&nbsp; Output queue: 0/40 (size/max)</P><P>&nbsp; 5 minute input rate 20000 bits/sec, 22 packets/sec</P><P>&nbsp; 5 minute output rate 292000 bits/sec, 37 packets/sec</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 5288 packets input, 469871 bytes, 0 no buffer</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Received 85 broadcasts, 0 runts, 0 giants, 0 throttles</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 9166 packets output, 12421619 bytes, 0 underruns</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 output errors, 1 interface resets</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 unknown protocol drops</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 output buffer failures, 0 output buffers swapped out</P><P>Wlan-GigabitEthernet0 is up, line protocol is up</P><P>&nbsp; Hardware is WLAN Gigabit Ethernet, address is 0026.0ba6.e9f8 (bia 0026.0ba6.e9f8)</P><P>&nbsp; Description: Internal switch interface connecting to the embedded AP</P><P>&nbsp; MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 100 usec,</P><P>&nbsp;&nbsp;&nbsp;&nbsp; reliability 255/255, txload 1/255, rxload 1/255</P><P>&nbsp; Encapsulation ARPA, loopback not set</P><P>&nbsp; Keepalive set (10 sec)</P><P>&nbsp; Full-duplex, 1000Mb/s</P><P>&nbsp; ARP type: ARPA, ARP Timeout 04:00:00</P><P>&nbsp; Last input 00:00:39, output never, output hang never</P><P>&nbsp; Last clearing of "show interface" counters never</P><P>&nbsp; Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0</P><P>&nbsp; Queueing strategy: fifo</P><P>&nbsp; Output queue: 0/40 (size/max)</P><P>&nbsp; 5 minute input rate 21000 bits/sec, 22 packets/sec</P><P>&nbsp; 5 minute output rate 292000 bits/sec, 36 packets/sec</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 5507 packets input, 514638 bytes, 0 no buffer</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Received 190 broadcasts, 0 runts, 0 giants, 0 throttles</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 input packets with dribble condition detected</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 9126 packets output, 12401933 bytes, 0 underruns</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 output errors, 0 collisions, 2 interface resets</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 3 unknown protocol drops</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 babbles, 0 late collision, 0 deferred</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 lost carrier, 0 no carrier</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 output buffer failures, 0 output buffers swapped out</P><P>wlan-ap0 is up, line protocol is up</P><P>&nbsp; Hardware is wlan-ap, address is 0000.0000.0000 (bia 0000.0000.0000)</P><P>&nbsp; Description: Service module interface to manage the embedded AP</P><P>&nbsp; Interface is unnumbered. Using address of Vlan1 (192.168.1.1)</P><P>&nbsp; MTU 1514 bytes, BW 8000000 Kbit/sec, DLY 5000 usec,</P><P>&nbsp;&nbsp;&nbsp;&nbsp; reliability 255/255, txload 1/255, rxload 1/255</P><P>&nbsp; Encapsulation LOOPBACK, loopback not set</P><P>&nbsp; ARP type: ARPA, ARP Timeout 00:00:00</P><P>&nbsp; Last input 00:02:40, output never, output hang never</P><P>&nbsp; Last clearing of "show interface" counters never</P><P>&nbsp; Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0</P><P>&nbsp; Queueing strategy: fifo</P><P>&nbsp; Output queue: 0/0 (size/max)</P><P>&nbsp; 5 minute input rate 0 bits/sec, 0 packets/sec</P><P>&nbsp; 5 minute output rate 0 bits/sec, 0 packets/sec</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 packets input, 0 bytes, 0 no buffer</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Received 0 broadcasts, 0 runts, 0 giants, 0 throttles</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 input packets with dribble condition detected</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 1 packets output, 28 bytes, 0 underruns</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 output errors, 0 collisions, 0 interface resets</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 unknown protocol drops</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 babbles, 0 late collision, 0 deferred</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 lost carrier, 0 no carrier</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 output buffer failures, 0 output buffers swapped out</P></BODY></HTML> Fri, 17 Jun 2011 03:53:25 GMT https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731315#M589523 jaesposito 2011-06-17T03:53:25Z https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731316#M589524 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>Not even 1 error, you say that when you do the downgrade, you dont have any more issues right? </P><P></P><P>Mike </P></BODY></HTML> Fri, 17 Jun 2011 03:59:46 GMT https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731316#M589524 Maykol Rojas 2011-06-17T03:59:46Z https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731317#M589527 <HTML><HEAD></HEAD><BODY><P>That's right.&nbsp; When I downgrade to the older IOS 12.4.20.T3,&nbsp; the "Out-Of-Order Segment" issue disappears and Netflix and YouTube work fine from the AppleTV.&nbsp; What should we do next?</P><P></P><P></P><P>On a side note, when running the older 12.4.20.T3 IOS, I appear to be having an different problem dropping inspected packets when simply surfing the web from my desktop computer (192.168.1.112):&nbsp; "match failure with ip ident 0"</P><P></P><P>000220:&nbsp; *Jun 16 20:40:54.495 PCTime: %FW-6-DROP_PKT: Dropping udp session&nbsp; 208.46.117.189:3478 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure&nbsp; with ip ident 0</P><P>000221: *Jun 16 20:41:43.863 PCTime:&nbsp; %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478&nbsp; 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure with ip ident 0</P><P>000222:&nbsp; *Jun 16 20:42:33.235 PCTime: %FW-6-DROP_PKT: Dropping udp session&nbsp; 208.46.117.189:3478 192.168.1.112:51636&nbsp; due to&nbsp; policy match failure&nbsp; with ip ident 0</P><P></P><P>I see no apparent problem from my desktop.&nbsp; But, the above is occurring.&nbsp; What does "match failure with ip ident 0" mean?</P><P></P><P>James E</P></BODY></HTML> Fri, 17 Jun 2011 12:18:16 GMT https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731317#M589527 jaesposito 2011-06-17T12:18:16Z https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731318#M589530 <HTML><HEAD></HEAD><BODY><P>Those seem to be late packets, weird thing is that the behavior changes between versions. They are not related to web browsing, it is a weird udp stream. </P><P></P><P>If you can go to 15 version, (you may want to read the release notes prior doing it)</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/ios/15_0/release/notes/150MREQS.html">http://www.cisco.com/en/US/docs/ios/15_0/release/notes/150MREQS.html</A></P><P></P><P>Then you can apply the command for out of order </P><PRE><BR />parameter-map type ooo global &nbsp; tcp reassembly memory limit 2048 &nbsp; tcp reassembly queue length 85 &nbsp; tcp reassembly timeout 54&nbsp; &nbsp; exit</PRE><P></P><P>Let me know how it goes. </P><P></P><P>Mike </P></BODY></HTML> Fri, 17 Jun 2011 17:33:02 GMT https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731318#M589530 Maykol Rojas 2011-06-17T17:33:02Z https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731319#M589532 <HTML><HEAD></HEAD><BODY><P> Mike,</P><P></P><P>Thanks.&nbsp; Before I upgrade to version 15, can you give me a general sense of how different 15 is from 12.4?&nbsp; I've never used 15, but am comfortable with the 12.x IOS.&nbsp; A general idea would be fine.</P><P></P><P>Also, is there a real significant value to me inspecting packets that originate from the trusted inside of my network?&nbsp; I understand wanting to do this from traffic sourced from an untrusted, outside interface.&nbsp; But, I'm struggling to understand why this is useful for traffic originating from my interior devices.&nbsp; Assuming that my machines do not have malicious software installed, I'm struggling to see the value as it is clearly causing problems where real problems dont exist - our above thread being a perfect example.</P><P></P><P>Thank you very much for your thoughts!</P><P></P><P>James E</P></BODY></HTML> Fri, 17 Jun 2011 18:14:50 GMT https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731319#M589532 jaesposito 2011-06-17T18:14:50Z https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731320#M589534 <HTML><HEAD></HEAD><BODY><P>Hi James, </P><P></P><P>What an excellent question. Basically you would like to inspect the traffic that comes from your inside network because, by default, the return traffic would be allowed. If you put just a single access list on the outside interface of your Router, you will need to allow all the responses to every query done from the inside. </P><P></P><P>With the inspection, sessions that were initiated from the inside network, the return traffic is allowed with no issues at all. </P><P></P><P>The idea of an stateful firewall is to allow those sessions from trusted sources and deny the rest. </P><P></P><P>Version 15 is not different from any other IOS version, only new commands and new features were added, but the rest is exactly the same. </P><P></P><P>If you have any questions, let me know. </P><P></P><P>Mike </P></BODY></HTML> Fri, 17 Jun 2011 19:35:46 GMT https://community.cisco.com/t5/network-security/performance-issue-suspected-with-zones-and-inspect-configuration/m-p/1731320#M589534 Maykol Rojas 2011-06-17T19:35:46Z