Solved: CBAC blocking Windows 7 upload

arturkociola · ‎01-14-2012

Hello,

Since upgrading some of computers in my LAN to Windows 7 they all experience upload issues. I have narrowed it down to CBAC inspection on my Cisco 1711 router, I am running IOS 12.3 I have a simple CBAC inspection set for TCP/UDP only without any application-specific inspects. Download works fine however upload does not seem to work atl all- unless I disable the ip inspection. It is all working fine for any Windows XP but not for Windows 7 machines. Is this a known issue, I am not sure how I can go about this - I don't want to build ACLs now for outside interface and disable stateful inspection mechanisms because CBAC has been working fine for me until recently. Thanks for any suggestions.

Julio Carvajal · ‎01-14-2012

Hello Artur,

Really, sounds like a bug, I will search on this to find what is going on.

Thank you for the update.

Please mark the question as answered so future users with the same issue now what to do.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎01-14-2012

Hello Artur,

Can you show us the the logs CBAC is reporting while you make an upload.

You can enable the command "ip inspect log drop-pkt"

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

arturkociola · ‎01-14-2012

Thank you Julio, what sort of logs would you like to see? I set the:

ip inspect log drop-pkt

and also

debug ip insp tcp

debug ip insp udp

debug ip insp events

and I am attaching the exract when I initiated http upload. It looks like the packets are dropped because they're out of sequence, I was trying to upload to ip 87.248.121.213 (flickr in this case).

Julio Carvajal · ‎01-14-2012

Hello,

That is the issue! CBAC will do a deep inspection on the TCP stack and it will see the out of order packets and will drop them, You will need to solve that problem on the inside on your network ( packets out of order) but at this moment CBAC is doing its job.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

arturkociola · ‎01-14-2012

Well, this is Windows 7, how can I force it? Again, I don't have this problem with Windows XP. It looks like the issue was addressed with newer IOS version with ip insp tcp reassembly command.

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_ooop.html

Julio Carvajal · ‎01-14-2012

Hello,

The thing is that reassembly is for the out of order packets not out of sequence,

I will investigate on this and let you know.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

arturkociola · ‎01-14-2012

Thank you Julio but I found the solution - it was IOS upgrade. When I ugraded my 12.3-11 to 12.4-15 it started to work on exactly the same configuration, I did not change anything.

Julio Carvajal · ‎01-14-2012

Hello Artur,

Really, sounds like a bug, I will search on this to find what is going on.

Thank you for the update.

Please mark the question as answered so future users with the same issue now what to do.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC