Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
767
Views
0
Helpful
2
Replies

Cisco 1861 - Zoen Based Firewall Issues

nickrourke
Level 1
Level 1

‎05-02-2011 11:24 AM - edited ‎03-11-2019 01:27 PM

Hi All,

having a very strange problem with a Cisco 1861 running - Cisco IOS Software, C1861 Software (C1861-ADVENTERPRISEK9-M), Version 12.4(24)T5

The issue  -

I have suddenly started to get performance issues with downloads and access through the ZBF. Without the firewall enabled and just having NAT enabled and routing  , downloads perform as expected - ( have been using Itunes download as test file ) - with the ZBF enabled , and the necessary rules installed to inspect & allow traffic - downloads stall - and the only way to get the downlaod to start again is to pause , then resume. The stalls are anything between the first 25 - 120 secs.

I have debugged and performed packet traces - but cant see anything untoward. I have also placed another router ( just a cheap Belkin )  on the ADSL service and again , the downloads work as expected.

one further thing to add is that when im tunneling through the firewall ( VPN ) , then downloads do work as expected - suggesting that the issue is with native HTTP(s) traffic......

I have upgraded from T4 to T5 - and the symptons still remain - I am thinking that these may have been introduced when i upgraded to T4 a few monthes ago.

any help would be gratefully appreicated.....

cheers

Nick

Labels:
0 Helpful
2 Replies 2

Maykol Rojas
Cisco Employee
Cisco Employee

‎05-02-2011 01:33 PM

Hi Nick,

Can you grab the ip inspect log drop-pkt ? Put that command in on global configuration mode, then put the command "do term mon". Try to download a file and grab the logs and check if the firewall is dropping any packets.

Cheers

Mike

Mike
0 Helpful

Michael Dougherty
Level 1
Level 1
In response to Maykol Rojas

‎07-11-2011 05:13 PM

Greetings,

I am having the same issue and I went ahead and did what you suggested.  See below, off hand it does not look like things are going nuts or anything just some out of sequence packets.

Jul 11 20:07:14.741 EDT: %FW-6-DROP_PKT: Dropping tcp session 96.7.40.26:80 172.xxx.xxx.xxx:4601  due to  Out-Of-Order Segment with ip ident 0

Jul 11 20:07:50.181 EDT: %FW-6-DROP_PKT: Dropping tcp session 96.7.40.26:80 172.xxx.xxx.xxx::4601  due to  Out-Of-Order Segment with ip ident 0

Jul 11 20:08:30.213 EDT: %FW-6-DROP_PKT: Dropping tcp session 96.7.40.26:80 172.xxx.xxx.xxx::4601  due to  Out-Of-Order Segment with ip ident 0

Any suggestions would be helpful.  I did read someone said there are performance issue with the ZBF, but I am not sure.

-mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card