Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1345
Views
0
Helpful
1
Replies

ZBF between two networks and SSH stalls periodically

Go to solution
jason00040
Level 1
Level 1

‎03-16-2019 05:56 PM - edited ‎03-16-2019 05:59 PM

Cisco 3825 routing two vlans.  ZBF setup between the two vlans to only allow ssh/http/https.  Connections are working but when ssh'd into server the session "locks up" for a short period.  I can most easily see this when in a session I have the server do a persistent ping to its gateway IP.  They reply but periodically the replies stop, then continue.  When they continue the icmp_seq counter has no gaps.  It's like the screen stops painting because no replies are missed, just the running output is suspended temporarily.  It lasts about 10-20 seconds from what I can tell.  The sessions also close unexpectedly and (so far) I cannot correlate it to inactivity.

 

Question is, does this sound like something related to ZBF?  I have a persistent ping running from a PC in vlan 100 to the outside and it does NOT suffer the lock-ups.  That route traverses a different ZBF pair through this same router.  FWIW - I tried replacing the target server to rule out the unit and it also suffers the same.

 

The intent is to allow only vlan 100 hosts to connect to the host at 172.26.214.3 using ssh/http/https.  I'm no ZBF Yoda so maybe there's a better way to code this?

 

Thanks for any help.

class-map type inspect match-all ACCESS-TO-HTTP-80-CMAP
 match access-group name LAN-TO-HTTP
 match protocol http
class-map type inspect match-all ACCESS-TO-HTTP-22-CMAP
 match access-group name LAN-TO-HTTP
 match protocol ssh
class-map type inspect match-all ACCESS-TO-HTTP-443-CMAP
 match access-group name LAN-TO-HTTP
 match protocol https

policy-map type inspect ACCESS-TO-HTTP-PMAP
 class type inspect ACCESS-TO-HTTP-80-CMAP
  inspect
 class type inspect ACCESS-TO-HTTP-443-CMAP
  inspect
 class type inspect ACCESS-TO-HTTP-22-CMAP
  inspect
 class class-default
  drop
!
zone security LAN
zone security HTTP
!
zone-pair security LAN-TO-HTTP source LAN destination HTTP
 service-policy type inspect ACCESS-TO-HTTP-PMAP
!
interface GigabitEthernet2/0.100
 description user_vlan
 encapsulation dot1Q 100
 ip address 192.168.1.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security LAN
!
interface GigabitEthernet2/0.443
 description webserver_vlan
 encapsulation dot1Q 443
 ip address 172.26.214.2 255.255.255.248
 ip nat inside
 ip virtual-reassembly
 zone-member security HTTP
!
ip access-list extended LAN-TO-HTTP
 permit ip 192.168.1.0 0.0.0.255 host 172.26.214.3

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jason00040
Level 1
Level 1

‎03-17-2019 12:56 AM

Fixed the issue with an IOS update.  There were no specific points in release notes about this but it fixed it.  Now running c3750-advipservicesk9-mz.122-46.SE.bin  Or maybe it was the fourth reset.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
jason00040
Level 1
Level 1

‎03-17-2019 12:56 AM

Fixed the issue with an IOS update.  There were no specific points in release notes about this but it fixed it.  Now running c3750-advipservicesk9-mz.122-46.SE.bin  Or maybe it was the fourth reset.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card