topic Intermittent drops using CBAC in Network Security

Intermittent drops using CBAC

emphillips00 — Mon, 11 Mar 2019 11:04:49 GMT

Hey all,

I could use some help troubleshooting a problem. We have a Cisco 2821 ISR router that is doing NAT, CBAC, and reporting NetFlow to a NetFlow monitor. The problem we are having is at random sites will become unavailable or extremely slow. What is odd though is that if you keep hitting retry the page will load just fine after some time. Persistent application such as instant messaging programs will also disconnect at random.

NetFlow and a ?show int? confirm that usage is not anywhere near the max, even on the Internet-facing interface. CPU usage also rarely tops 30%.

Can anyone give me some tips on how to troubleshoot this? If I enable ?ip inspect audit-trail? I am inundated by 50+ messages a second from connections being created then torn down. Can anyone help think of any way of logging that might provide some insight into what might be going on? Because of the very random nature of the problem, it never happens when I do it, and by the time someone gets to a command prompt to try and ping or tracert, the problem is already gone. But I am thinking somewhere a log has to be screaming.

Here is a snip of the code to get an idea what the router is doing:

ip inspect name CBACout ftp

ip inspect name CBACout http

interface Multilink1

description Internet Outside

bandwidth 3072

ip address 1.1.1.1 255.255.255.252

ip access-group ACLin in

ip access-group ACLout out

ip nbar protocol-discovery

ip nat outside

ip inspect CBACout out

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

no cdp enable

ppp multilink

ppp multilink group 1

interface GigabitEthernet0/0.1

description Inside Interface

encapsulation dot1Q 1 native

ip address 10.1.1.1 255.255.0.0 secondary

ip address 10.2.1.1 255.255.0.0 secondary

ip address 10.2.3.254 255.255.0.0

ip access-group ACL1_out in

ip nat inside

ip virtual-reassembly

no ip route-cache

ip nat inside source route-map nonat interface Multilink1 overload

ip access-list extended ACL1_out

permit ip any any reflect ACL1_RACLin

ip access-list extended ACL_nonat

deny ip 10.0.0.0 0.255.255.255 19.0.0.0 0.255.255.255

deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

permit ip 10.0.0.0 0.255.255.255 any

ip access-list extended ACLin

permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any host-unreachable

permit icmp any any net-unreachable

permit icmp any any time-exceeded

permit icmp any any ttl-exceeded

!Snip - Bunch of explicit allows to connect to internal servers

evaluate RACLin

route-map nonat permit 10

match ip address ACL_nonat

Re: Intermittent drops using CBAC

falain — Sat, 01 Sep 2007 09:24:06 GMT

Hi,

I am also using 2821 ISR with Cbac, Nat & Netflow.

Last year, I was experiencing Cbac pbs with 12.4(7) and upgraded to last release 12.4(12), which solved cbac dropped tcp sessions (look at bug tool using cbac keyword).

I noticed that your config has a 'no ip route-cache' so you are running Process Switching, and some bugs are related to it.

You are also mixing refexive Acls and Cbac, why not using only Cbac ?

may it helps

Best regards

Alain

Re: Intermittent drops using CBAC

emphillips00 — Wed, 05 Sep 2007 12:34:36 GMT

Hi Alain,

Thank you for the reply! I am running 12.4(15)T1, and have tried to run the latest 12.4 non-T train. Both have the same effect.

I disabled process switching, that must have been old config from when I was trying to get the NetFlow monitor to work. I re-enabled CEF on all the interfaces to see if that fixes the problem.

I have a mix of reflexive ACLs and CBAC because I must not be understanding CBAC properly.

I have not found any examples of mixing NAT and CBAC together. All the examples use CBAC on the inside interface in the inbound direction to create ACL entries on the ACL on the outside interface in the inbound direction. What doesn't make sense is CBAC on the inside would be putting an inside IP address, not the NATed IP address into that ACL.

Do you use NAT and CBAC on the same router? Can you give me an example of what your config looks like that you are only using CBAC? I would greatly appreciate it!

-Eric