05-04-2010 02:56 PM - edited 03-11-2019 10:41 AM
This link has a good example on how to configure CISCO IOS Content Filtering http://supportforums.cisco.com/docs/DOC-8028
i copied and pasted the config on to a 1941W router and it worked. however, i found that the router could go in and out of the "allow mode" regularly (like every few minutes). below is example. during the allow mode, content filtering is basically turned off and users can hit any site. I don't want to turn off the allow mode, but is there a way to minimize the # of times the router goes into allow mode?
May 4 14:41:03.218: %URLF-3-ENTER_ALLOW_MODE: URLF classification request timed out, the router is entering allow mode.
May 4 14:42:05.458: %URLF-5-LEAVE_ALLOW_MODE: Connection to an URL filter server is made, or subscription for URLF service is renewed. The router is returning from ALLOW MODE
May 4 14:42:07.786: %URLF-3-ENTER_ALLOW_MODE: URLF classification request timed out, the router is entering allow mode.
May 4 14:43:08.035: %URLF-5-LEAVE_ALLOW_MODE: Connection to an URL filter server is made, or subscription for URLF service is renewed. The router is returning from ALLOW MODE
May 4 14:46:39.144: %URLF-3-ENTER_ALLOW_MODE: URLF classification request timed out, the router is entering allow mode.
May 4 14:47:39.388: %URLF-5-LEAVE_ALLOW_MODE: Connection to an URL filter server is made, or subscription for URLF service is renewed. The router is returning from ALLOW MODE
05-05-2010 09:31 AM
What you see is happening is because the router cannot contact the trps.trendmicro.com to ask for the category of the sites in order to allow them or not.
You can use option "server {server-name | ip-address} [outside] [port port-number] [retrans retransmission-count] [timeout seconds]" under the "parameter-map type urlfpolicy trend dynamic-parameters" to change the timeout and wait for more time until you declare the "allow-mode on".
But that will not fix the underlying problem which is probably connectivity to trps.trendmicro.com. Try using either of the ip addresses 216.104.8.100, 216.99.133.100 ("ip host trps.trendmicro.com 216.99.xxx" command on the router) and see what the response times are and see if you can chose the one that is the best for you and if that fixes the issue.
I hope it helps.
PK
05-06-2010 01:57 PM
i tried to not use the ip domain lookup on the router, and added ip host trps.trendmicro.com 216.99.133.100 216.104.8.100 and
ip host crl.geotrust.com 69.58.183.143. however, the router still continues to go in and out of the allow mode.
i also tried what you said, and found out that from the router,
216.104.8.100's average round trip back to router is 81ms
216.99.133.100's average round trip back to router is 4 ms.
therefore, i reconfigured the ip host trps.trendmicro.com to include only the 216.99.133.100. thinking it will be faster, but the result is still the same.
any other suggestions?
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide