cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1290
Views
0
Helpful
3
Replies
Highlighted
Beginner

IP Inspect Overflows

Hello,

I have Cisco Router with the below config:

ip inspect name SDM_MEDIUM appfw SDM_MEDIUM

ip inspect name SDM_MEDIUM cuseeme

ip inspect name SDM_MEDIUM dns

ip inspect name SDM_MEDIUM ftp

ip inspect name SDM_MEDIUM h323

ip inspect name SDM_MEDIUM https

ip inspect name SDM_MEDIUM icmp

ip inspect name SDM_MEDIUM imap reset

ip inspect name SDM_MEDIUM pop3 reset

ip inspect name SDM_MEDIUM netshow

ip inspect name SDM_MEDIUM rcmd

ip inspect name SDM_MEDIUM realaudio

ip inspect name SDM_MEDIUM rtsp

ip inspect name SDM_MEDIUM esmtp

ip inspect name SDM_MEDIUM sqlnet

ip inspect name SDM_MEDIUM streamworks

ip inspect name SDM_MEDIUM tftp

interface FastEthernet0/0

description $FW_OUTSIDE$

ip address dhcp

ip access-group 103 in

ip access-group 109 out

ip nat outside

ip inspect SDM_MEDIUM out

ip virtual-reassembly

I am facing problem with Outlook Users in to my Lan Network. They loose connectivity to Exchange Server Intermittently. When they connect their

Laptops directly on BroadBand line, it works perfect.

I can see following logs:

010303: Jul 25 15:29:41.844: %SEC-6-IPACCESSLOGP: list 103 denied tcp X.X.X.X(80) -> X.X.X.X (2551), 1 packet

010304: Jul 25 15:29:43.848: %SEC-6-IPACCESSLOGP: list 103 denied tcp X.X.X.X (80) -> X.X.X.X (2561), 1 packet

010305: Jul 25 15:29:45.852: %SEC-6-IPACCESSLOGP: list 103 denied tcp X.X.X.X (443) -> X.X.X.X (2557), 1 packet

010303: Jul 25 15:29:41.844: %SEC-6-IPACCESSLOGP: list 103 denied tcp X.X.X.X (443) -> X.X.X.X (2551), 1 packet

010304: Jul 25 15:29:43.848: %SEC-6-IPACCESSLOGP: list 103 denied tcp X.X.X.X (80) -> X.X.X.X (2561), 1 packet


Users can connect to outlook after some time automatically. I suspect this is issue of IP Inspect for Half Opened Session.

Can anyone please suggest the way ahead?

Thanks

Rahul

Everyone's tags (3)
3 REPLIES 3
Cisco Employee

IP Inspect Overflows

Hi Rahul,

The logs seem to be for HTTP and HTTPS traffic. Can you enable "ip inspect log drop" and post the output of "sh log" here collected when the issue occurs?

Let me know.

Regards,

Anu

Beginner

IP Inspect Overflows

Hi Anu,

Please see below logs:

038100: Jul 27 09:49:05.597: %SEC-6-IPACCESSLOGP: list 103 denied tcp XX.XX.XX.XX(443) -> XX.XX.XX.XX(1812), 1 packet

038101: Jul 27 09:49:09.605: %SEC-6-IPACCESSLOGP: list 103 denied tcp XX.XX.XX.XX(443) -> XX.XX.XX.XX(1802), 1 packet 
038103: Jul 27 09:49:11.621: %SEC-6-IPACCESSLOGP: list 103 denied tcp XX.XX.XX.XX(443) -> XX.XX.XX.XX(1824), 1 packet
038104: Jul 27 09:49:13.633: %SEC-6-IPACCESSLOGP: list 103 denied tcp XX.XX.XX.XX(443) -> XX.XX.XX.XX(1821), 1 packet
038105: Jul 27 09:49:15.649: %SEC-6-IPACCESSLOGP: list 103 denied tcp XX.XX.XX.XX(443) -> XX.XX.XX.XX(1822), 1 packet
038106: Jul 27 09:49:17.645: %SEC-6-IPACCESSLOGP: list 103 denied tcp XX.XX.XX.XX(443) -> XX.XX.XX.XX(1834), 1 packet
038107: Jul 27 09:49:21.469: %SEC-6-IPACCESSLOGP: list 103 denied tcp XX.XX.XX.XX(443) -> XX.XX.XX.XX(1864), 1 packet
038108: Jul 27 09:49:23.665: %SEC-6-IPACCESSLOGP: list 103 denied tcp XX.XX.XX.XX(443) -> XX.XX.XX.XX(1851), 1 packet
038109: Jul 27 09:49:25.689: %SEC-6-IPACCESSLOGP: list 103 denied tcp XX.XX.XX.XX(443) -> XX.XX.XX.XX(1853), 1 packet
038110: Jul 27 09:49:27.005: %FW-6-DROP_PKT: Dropping Other session XX.XX.XX.XX:1906 XX.XX.XX.XX:443  due to  RST
inside current window with ip ident 1764 tcpflags 0x5014 seq.no 899228843 ack 3486318255
038111: Jul 27 09:49:27.713: %SEC-6-IPACCESSLOGP: list 103 denied tcp XX.XX.XX.XX(443) -> XX.XX.XX.XX(1846), 1 packet
038112: Jul 27 09:49:29.725: %SEC-6-IPACCESSLOGP: list 103 denied tcp XX.XX.XX.XX(443) -> XX.XX.XX.XX(1865), 1 packet
038113: Jul 27 09:49:32.737: %SEC-6-IPACCESSLOGP: list 103 denied tcp XX.XX.XX.XX(443) -> XX.XX.XX.XX(1905), 1 packet
038114: Jul 27 09:49:35.745: %SEC-6-IPACCESSLOGP: list 103 denied tcp XX.XX.XX.XX(443) -> XX.XX.XX.XX(1884), 1 packet
038115: Jul 27 09:49:37.829: %SEC-6-IPACCESSLOGP: list 103 denied tcp XX.XX.XX.XX(443) -> XX.XX.XX.XX(1880), 1 packet
038116: Jul 27 09:49:39.789: %SEC-6-IPACCESSLOGP: list 103 denied tcp XX.XX.XX.XX(443) -> XX.XX.XX.XX(1881), 1 packet
038117: Jul 27 09:49:43.817: %SEC-6-IPACCESSLOGP: list 103 denied tcp XX.XX.XX.XX(443) -> XX.XX.XX.XX(1916), 1 packet
038118: Jul 27 09:49:45.813: %SEC-6-IPACCESSLOGP: list 103 denied tcp XX.XX.XX.XX(443) -> XX.XX.XX.XX(1921), 1 packet
038119: Jul 27 09:49:46.281: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 55 packets
038120: Jul 27 09:49:47.825: %SEC-6-IPACCESSLOGP: list 103 denied tcp XX.XX.XX.XX(443) -> XX.XX.XX.XX(1936), 1 packet
038121: Jul 27 09:49:49.853: %SEC-6-IPACCESSLOGP: list 103 denied tcp XX.XX.XX.XX(443) -> XX.XX.XX.XX(1917), 1 packet
038122: Jul 27 09:49:51.849: %SEC-6-IPACCESSLOGP: list 103 denied tcp XX.XX.XX.XX(443) -> XX.XX.XX.XX(1944), 1 packet
038145: Jul 27 09:49:55.925: %SEC-6-IPACCESSLOGP: list 103 denied tcp XX.XX.XX.XX(443) -> XX.XX.XX.XX(1942), 1 packet
038146: Jul 27 09:49:57.177: %FW-6-DROP_PKT: Dropping Other session XX.XX.XX.XX:2008 XX.XX.XX.XX:443  due to  RST
inside current window with ip ident 5621 tcpflags 0x5014 seq.no 500736543 ack 49297679
038147: Jul 27 09:49:57.917: %SEC-6-IPACCESSLOGP: list 103 denied tcp XX.XX.XX.XX(443) -> XX.XX.XX.XX(1981), 1 packet
038148: Jul 27 09:50:01.929: %SEC-6-IPACCESSLOGP: list 103 denied tcp XX.XX.XX.XX(443) -> XX.XX.XX.XX(1962), 1 packet
038149: Jul 27 09:50:03.013: %SEC-6-IPACCESSLOGP: list 103 denied tcp XX.XX.XX.XX(443) -> XX.XX.XX.XX(2009), 1 packet
038150: Jul 27 09:50:07.929: %SEC-6-IPACCESSLOGP: list 103 denied tcp XX.XX.XX.XX(443) -> XX.XX.XX.XX(1990), 1 packet
038159: Jul 27 09:50:09.941: %SEC-6-IPACCESSLOGP: list 103 denied tcp XX.XX.XX.XX(443) -> XX.XX.XX.XX(1997), 1 packet
038162: Jul 27 09:50:13.965: %SEC-6-IPACCESSLOGP: list 103 denied tcp XX.XX.XX.XX(443) -> XX.XX.XX.XX(1988), 1 packet
038164: Jul 27 09:50:15.953: %SEC-6-IPACCESSLOGP: list 103 denied tcp XX.XX.XX.XX(443) -> XX.XX.XX.XX(2034), 1 packet


Thanks

Cisco Employee

IP Inspect Overflows

Hi Rahul,

In the logs on the router, do you se any logs related to the exchange server or the client's IP address? i can not see much because all i see acl drops and some fw drops with Xs in place of IP addresses.

Regards,

Prapanch

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here