06-15-2011 08:50 PM - edited 03-11-2019 01:45 PM
All,
I suspect that I am experiencing performance issues related to my firewall zone configuration AND/OR the inspection being done on packets. With that in mind, I have two basic questions based on my attached configuration:
1.) In looking at my configuration, what purpose do these default firewall zones AND inspect commands have for this router, which I am using on a plain DSL connection in my home?
2.) Could any part of this configuration be responsible for slowing down some of my home devices such as my AppleTV for streaming Netflix, YouTube?
The router is a 881W and is running 12.4.24.T5. If you feel that any parts of this configuration are unnecessary and might be contributing to my performance issues, please feel free to chime in.
Thank you for the help!
James E
06-15-2011 09:36 PM
Hi,
May be out of order packets and the inspection is messing with them, your config looks fine. Would you please put the following command on the Routing:
Conf t
ip inspect log drop-pkt
do term mon
Try to access Youtube from the PC, TV, or whatever device has slow connection, gather the logs, and paste them over here.
Cheers
Mike
06-16-2011 04:24 PM
Ok. I added that config parameters. Here is the log output when I attempt to use Netflix on the AppleTV (IP 192.168.1.102):
000040: *Jun 16 18:07:54.567 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51763 due to Out-Of-Order Segment with ip ident 0
000041: *Jun 16 18:08:24.871 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51763 due to Out-Of-Order Segment with ip ident 0
000042: *Jun 16 18:08:55.115 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51764 due to Out-Of-Order Segment with ip ident 0
000043: *Jun 16 18:09:25.759 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51766 due to Out-Of-Order Segment with ip ident 0
000044: *Jun 16 18:09:55.911 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51768 due to Out-Of-Order Segment with ip ident 0
000045: *Jun 16 18:10:26.355 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51770 due to Out-Of-Order Segment with ip ident 0
000046: *Jun 16 18:10:56.367 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51770 due to Out-Of-Order Segment with ip ident 0
000047: *Jun 16 18:11:26.839 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51773 due to Out-Of-Order Segment with ip ident 0
000048: *Jun 16 18:11:57.447 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51774 due to Out-Of-Order Segment with ip ident 0
000049: *Jun 16 18:12:27.691 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51776 due to Out-Of-Order Segment with ip ident 0
000050: *Jun 16 18:12:27.691 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51776 due to Out-Of-Order Segment with ip ident 0
000051: *Jun 16 18:12:57.931 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.26.210.253:80 192.168.1.102:51777 due to Out-Of-Order Segment with ip ident 0
000040: *Jun 16 18:07:54.567 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51763 due to Out-Of-Order Segment with ip ident 0
000041: *Jun 16 18:08:24.871 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51763 due to Out-Of-Order Segment with ip ident 0
000042: *Jun 16 18:08:55.115 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51764 due to Out-Of-Order Segment with ip ident 0
000043: *Jun 16 18:09:25.759 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51766 due to Out-Of-Order Segment with ip ident 0
000044: *Jun 16 18:09:55.911 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51768 due to Out-Of-Order Segment with ip ident 0
000045: *Jun 16 18:10:26.355 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51770 due to Out-Of-Order Segment with ip ident 0
000046: *Jun 16 18:10:56.367 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51770 due to Out-Of-Order Segment with ip ident 0
000047: *Jun 16 18:11:26.839 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51773 due to Out-Of-Order Segment with ip ident 0
000048: *Jun 16 18:11:57.447 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51774 due to Out-Of-Order Segment with ip ident 0
000049: *Jun 16 18:12:27.691 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51776 due to Out-Of-Order Segment with ip ident 0
000050: *Jun 16 18:12:27.691 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.12.223.254:80 192.168.1.102:51776 due to Out-Of-Order Segment with ip ident 0
000051: *Jun 16 18:12:57.931 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.26.210.253:80 192.168.1.102:51777 due to Out-Of-Order Segment with ip ident 0
000052: *Jun 16 18:13:27.975 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.26.210.253:80 192.168.1.102:51779 due to Out-Of-Order Segment with ip ident 0
Here is the log output when I try to visit YouTube from the AppleTV (IP 192.168.1.102):
000054: *Jun 16 18:13:58.435 PCTime: %FW-6-DROP_PKT: Dropping udp session 69.22.151.206:3478 192.168.1.112:55741 due to policy match failure with ip ident 0
000055: *Jun 16 18:14:28.559 PCTime: %FW-6-DROP_PKT: Dropping tcp session 74.125.45.118:80 192.168.1.102:51794 due to Out-Of-Order Segment with ip ident 0
000056: *Jun 16 18:14:28.559 PCTime: %FW-6-DROP_PKT: Dropping tcp session 74.125.45.118:80 192.168.1.102:51794 due to Out-Of-Order Segment with ip ident 0
000057: *Jun 16 18:15:36.979 PCTime: %FW-6-DROP_PKT: Dropping udp session 69.22.151.206:3478 192.168.1.112:55741 due to policy match failure with ip ident 0
000058: *Jun 16 18:16:38.591 PCTime: %FW-6-DROP_PKT: Dropping tcp session 173.194.29.13:80 192.168.1.102:51800 due to Out-Of-Order Segment with ip ident 0
000059: *Jun 16 18:16:38.591 PCTime: %FW-6-DROP_PKT: Dropping tcp session 173.194.29.13:80 192.168.1.102:51800 due to Out-Of-Order Segment with ip ident 0
000060: *Jun 16 18:17:08.639 PCTime: %FW-6-DROP_PKT: Dropping tcp session 173.194.29.13:80 192.168.1.102:51800 due to Out-Of-Order Segment with ip ident 0
000061: *Jun 16 18:17:38.903 PCTime: %FW-6-DROP_PKT: Dropping tcp session 74.125.45.118:80 192.168.1.102:51804 due to Out-Of-Order Segment with ip ident 0
Also, I happened to notice that trying to access YouTube from my desktop computer (192.168.1.112) is also an issue:
000064: *Jun 16 18:18:52.043 PCTime: %FW-6-DROP_PKT: Dropping tcp session 74.125.157.101:80 192.168.1.112:49766 due to Out-Of-Order Segment with ip ident 0
000065: *Jun 16 18:19:32.343 PCTime: %FW-6-DROP_PKT: Dropping tcp session 74.125.157.101:80 192.168.1.112:49765 due to Out-Of-Order Segment with ip ident 0
000067: *Jun 16 18:20:04.939 PCTime: %FW-6-DROP_PKT: Dropping tcp session 173.194.29.22:80 192.168.1.112:49797 due to Out-Of-Order Segment with ip ident 0
000068: *Jun 16 18:20:37.955 PCTime: %FW-6-DROP_PKT: Dropping tcp session 208.117.249.22:80 192.168.1.112:49816 due to Out-Of-Order Segment with ip ident 0
...and Netflix from my desktop computer (182.168.1.112) is also an issue:
000070: *Jun 16 18:21:11.771 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.18.43.163:80 192.168.1.112:49827 due to Out-Of-Order Segment with ip ident 0
000071: *Jun 16 18:21:55.215 PCTime: %FW-6-DROP_PKT: Dropping tcp session 184.73.247.254:80 192.168.1.112:49823 due to Out-Of-Order Segment with ip ident 0
000071: *Jun 16 18:21:55.215 PCTime: %FW-6-DROP_PKT: Dropping tcp session 184.73.247.254:80 192.168.1.112:49823 due to Out-Of-Order Segment with ip ident 0
000074: *Jun 16 18:22:31.655 PCTime: %FW-6-DROP_PKT: Dropping tcp session 184.73.247.254:80 192.168.1.112:49823 due to Out-Of-Order Segment with ip ident 0
000075: *Jun 16 18:23:49.935 PCTime: %FW-6-DROP_PKT: Dropping udp session 69.22.151.206:3478 192.168.1.112:55741 due to policy match failure with ip ident 0
000077: *Jun 16 18:24:39.219 PCTime: %FW-6-DROP_PKT: Dropping udp session 69.22.151.206:3478 192.168.1.112:55741 due to policy match failure with ip ident 0
000079: *Jun 16 18:25:28.479 PCTime: %FW-6-DROP_PKT: Dropping udp session 69.22.151.206:3478 192.168.1.112:55741 due to policy match failure with ip ident 0
It looks like the consistent issue is the dropping of "Out-Of-Order Segment." I havent the faintest idea what that means.
Any ideas on how we can tackle this? Thank you so much!
James E
06-16-2011 05:10 PM
Thats what I thought.
In out of order packets issues, Main thing would be to contact the service provider and tell them that you are reciving out of order packets, if there is no positive answer from your ISP, you can try something that is on the router called out of order buffer, here is the document
If the performance is not improve or the version of your router does not support the parameter map type ooo, best thing would be contacting the ISP in order to check why you are getting out of order packets.
I know what you are thinking, you may say, "Why would I contact the ISP? If no firewall is in place, everything workes!", the answer is that Unfortunately, ZBF is very sensitive to out of order packets many out of sequence packets can be a real headache to firewalls, IPS etc, because this can cause evasion attacks, where the security device cannot see the entire packet to analyze the payload and determine wether is normal or malicious.
That being said, is better to drop them if they are suspicious, than just let them pass and that they cause a bigger issue inside the network .
Hope this explanation serves you well.
Mike
06-16-2011 07:14 PM
So here's whats interesting. If I downgrade the IOS to124-20.T3 and run the same configuration, then I do not run into this problem. Strange eh?
Assuming that the above doesnt bring anything new to the conversation, could I change my configuration to ignore out of order packets? If so, could you give me the config line commands to do so?
Thank you very much for the help!
James
p.s. - On a related note, when I'm running the older IOS 12.4.20.T3, here is what I'm seeing the inspect function do now with web traffic from my desktop computer due to "match failure with ip ident 0" (any idea what that is?):
000220: *Jun 16 20:40:54.495 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636 due to policy match failure with ip ident 0
000221: *Jun 16 20:41:43.863 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636 due to policy match failure with ip ident 0
000222: *Jun 16 20:42:33.235 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636 due to policy match failure with ip ident 0
000223: *Jun 16 20:43:22.607 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636 due to policy match failure with ip ident 0
000224: *Jun 16 20:44:11.979 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636 due to policy match failure with ip ident 0
000225: *Jun 16 20:45:01.367 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636 due to policy match failure with ip ident 0
000226: *Jun 16 20:45:50.767 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636 due to policy match failure with ip ident 0
000227: *Jun 16 20:46:40.155 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636 due to policy match failure with ip ident 0
000228: *Jun 16 20:47:29.527 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636 due to policy match failure with ip ident 0
000229: *Jun 16 20:48:18.899 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636 due to policy match failure with ip ident 0
000230: *Jun 16 20:49:08.271 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636 due to policy match failure with ip ident 0
000231: *Jun 16 20:49:57.659 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636 due to policy match failure with ip ident 0
000232: *Jun 16 20:50:47.031 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636 due to policy match failure with ip ident 0
000233: *Jun 16 20:51:36.399 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636 due to policy match failure with ip ident 0
000234: *Jun 16 20:52:25.771 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636 due to policy match failure with ip ident 0
000235: *Jun 16 20:53:15.147 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636 due to policy match failure with ip ident 0
000236: *Jun 16 20:54:04.515 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636 due to policy match failure with ip ident 0
000237: *Jun 16 20:54:53.835 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636 due to policy match failure with ip ident 0
000238: *Jun 16 20:55:43.223 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636 due to policy match failure with ip ident 0
000239: *Jun 16 20:56:32.595 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636 due to policy match failure with ip ident 0
000240: *Jun 16 20:57:22.103 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636 due to policy match failure with ip ident 0
000243: *Jun 16 20:59:00.743 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636 due to policy match failure with ip ident 0
000244: *Jun 16 20:59:37.927 PCTime: %FW-6-DROP_PKT: Dropping tcp session 216.115.98.241:80 192.168.1.112:49985 due to Stray Segment with ip ident 0
000245: *Jun 16 21:00:15.351 PCTime: %FW-6-DROP_PKT: Dropping tcp session 67.195.160.134:80 192.168.1.112:50045 due to SYN inside current window with ip ident 0
000246: *Jun 16 21:00:51.327 PCTime: %FW-6-DROP_PKT: Dropping tcp session 98.139.51.132:80 192.168.1.112:50067 due to SYN inside current window with ip ident 0
000253: *Jun 16 21:03:16.347 PCTime: %FW-6-DROP_PKT: Dropping tcp session 64.214.227.51:80 192.168.1.112:50440 due to SYN inside current window with ip ident 0
000254: *Jun 16 21:03:56.519 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636 due to policy match failure with ip ident 0
000255: *Jun 16 21:04:45.855 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636 due to policy match failure with ip ident 0
000256: *Jun 16 21:05:35.191 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636 due to policy match failure with ip ident 0
000257: *Jun 16 21:06:24.531 PCTime: %FW-6-DROP_PKT: Dropping udp session 208.46.117.189:3478 192.168.1.112:51636 due to policy match failure with ip ident 0
James
06-16-2011 07:20 PM
Hi james
Weird you say? Thats my breakfast everyday . Yes, you will be able to do it so, is there a possibility that you can run version 15? In order to apply the policy map for OOO packets?
Mike
06-16-2011 07:30 PM
Well, I can download and load 15.1.3.T1. Before I do so, how dramatically different is the 15.X code than the 12.4.X version? Ive never run 15.X before and am concerned about how much there might be to learn.
If there is little change, then once I've loaded the 15.1.3.T1 code, what configuration changes would I need to make?
James E
06-16-2011 07:51 PM
Hello,
Not really sure, lets try first this
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_ooop.html
Router(config)# ip inspect tcp reassembly queue length 45
Router(config)# ip inspect tcp reassembly memory limit 200
Another thing, try to remove the http inspection, If none of this work, we will try to move to version 15.
Mike
06-16-2011 07:56 PM
Ok. I will.
To remove the http inspection, do I do the following:
Router(config)# class-map type inspect match-all ccp-protocol-http
Router(config)# no match protocol http
Router(config)#
or this...
Router(config)# policy-map type inspect ccp-inspect
Router(config)# class type inspect ccp-protocol-http
Router(config)# no inspect
Router(config)#
Thanks!
James
06-16-2011 08:04 PM
Hi,
Close,
policy-map type inspect ccp-inspect
no class type inspect ccp-protocol-http
It should fall into the next class which has all tcp and udp, so it will still be inspected, but at layer 3/4 and not at 7.
Let me know how it goes.
Mike
06-16-2011 08:12 PM
OK. I tried the first two configuration lines and am still having the same problem. Here is what is being dropped now by the inspect command:
000133: *Jun 16 22:09:48.879 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.26.210.253:80 192.168.1.102:51984 due to Out-Of-Order Segment with ip ident 0
000134: *Jun 16 22:10:18.927 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.26.210.253:80 192.168.1.102:51986 due to Out-Of-Order Segment with ip ident 0
000162: *Jun 16 22:11:50.255 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.26.210.253:80 192.168.1.102:51991 due to Out-Of-Order Segment with ip ident 0
000163: *Jun 16 22:12:20.547 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.26.210.253:80 192.168.1.102:51991 due to Out-Of-Order Segment with ip ident 0
000173: *Jun 16 22:12:50.919 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.26.210.253:80 192.168.1.102:51993 due to Out-Of-Order Segment with ip ident 0
000174: *Jun 16 22:13:21.135 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.26.210.253:80 192.168.1.102:51996 due to Out-Of-Order Segment with ip ident 0
Should I try removing the inspect HTTP next?
James E
06-16-2011 08:16 PM
Be my guest.
Mike
06-16-2011 08:18 PM
I removed the HTTP inspect and still get the same problem. I left the other drops from the Internet in the copy/paste in case it triggered any thoughts. Any other observations before we move to 15.1?
James E
-------------------------------
000226: *Jun 16 22:16:23.403 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.26.210.253:80 192.168.1.102:52005 due to Out-Of-Order Segment with ip ident 0
000227: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 98.219.172.185:62566 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000228: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 83.227.180.98:30917 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000229: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 2 packets were dropped from 173.170.153.175:55164 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000230: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 68.5.31.184:22200 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000231: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 94.202.51.71:58163 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000232: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 98.196.111.92:27534 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000233: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 75.135.148.92:11835 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000234: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 74.14.62.45:40739 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000235: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 76.204.46.146:60002 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000236: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 98.162.165.127:58997 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000237: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 76.23.172.16:36900 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000238: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 72.88.82.107:63796 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000239: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 121.217.136.94:20647 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000240: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 188.182.109.42:18200 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000241: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 112.203.95.53:41589 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000242: *Jun 16 22:16:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 98.250.170.156:62956 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000243: *Jun 16 22:16:53.431 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.26.210.253:80 192.168.1.102:52005 due to Out-Of-Order Segment with ip ident 0
000244: *Jun 16 22:17:23.511 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.26.210.253:80 192.168.1.102:52007 due to Out-Of-Order Segment with ip ident 0
000245: *Jun 16 22:17:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 178.76.175.39:28195 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000246: *Jun 16 22:17:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 75.140.98.49:44400 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000247: *Jun 16 22:17:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 75.48.251.162:46586 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000248: *Jun 16 22:17:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 71.224.104.61:43788 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000249: *Jun 16 22:17:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 74.70.91.2:62820 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000250: *Jun 16 22:17:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 75.144.184.1:40969 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000251: *Jun 16 22:17:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 24.78.228.141:25018 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000252: *Jun 16 22:17:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 216.118.146.204:44637 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000253: *Jun 16 22:17:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 65.27.254.51:31593 => 74.233.55.201:60541 (target:class)-(ccp-zp-out-self:class-default)
000254: *Jun 16 22:17:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 24.61.175.2:49201 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000255: *Jun 16 22:17:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 69.206.171.175:33489 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000256: *Jun 16 22:17:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 98.246.9.100:62274 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000257: *Jun 16 22:17:53.671 PCTime: %FW-6-DROP_PKT: Dropping udp session 216.183.204.177:27197 74.233.55.201:52794 on zone-pair ccp-zp-out-self class class-default due to DROP action found in policy-map with ip ident 0
000258: *Jun 16 22:18:24.235 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.26.210.253:80 192.168.1.102:52011 due to Out-Of-Order Segment with ip ident 0
000259: *Jun 16 22:18:40.251 PCTime: %FW-6-LOG_SUMMARY: 2 packets were dropped from 206.75.2.7:32963 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000260: *Jun 16 22:18:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 216.183.204.177:27197 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000261: *Jun 16 22:18:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 98.66.246.59:50219 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000262: *Jun 16 22:18:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 75.80.218.96:18972 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000263: *Jun 16 22:18:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 86.184.99.203:54838 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000264: *Jun 16 22:18:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 107.4.10.85:49237 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000265: *Jun 16 22:18:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 216.121.222.139:11641 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000266: *Jun 16 22:18:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 65.9.216.145:19877 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000267: *Jun 16 22:18:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 204.112.16.105:60675 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000268: *Jun 16 22:18:40.251 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 67.172.28.245:28091 => 74.233.55.201:52794 (target:class)-(ccp-zp-out-self:class-default)
000269: *Jun 16 22:18:54.375 PCTime: %FW-6-DROP_PKT: Dropping tcp session 8.26.210.253:80 192.168.1.102:52012 due to Out-Of-Order Segment with ip ident 0
06-16-2011 08:22 PM
One more,
Cand you paste the show interface command? Note that the IP addresses will appear there, so feel free to remove them, I want to see if there are any errors on them.
Mike
06-16-2011 08:53 PM
Sure. Here you go:
Router#sh interface
Dialer0 is up, line protocol is up (spoofing)
Hardware is Unknown
Description: $FW_OUTSIDE$
Internet address is xx.xx.xx.xx/32
MTU 1500 bytes, BW 56 Kbit/sec, DLY 20000 usec,
reliability 255/255, txload 4/255, rxload 61/255
Encapsulation PPP, loopback not set
Keepalive set (10 sec)
DTR is pulsed for 1 seconds on reset
Interface is bound to Vi1
Last input never, output never, output hang never
Last clearing of "show interface" counters 00:03:02
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/0/16 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 42 kilobits/sec
5 minute input rate 382000 bits/sec, 39 packets/sec
5 minute output rate 3000 bits/sec, 7 packets/sec
13530 packets input, 18718598 bytes
4792 packets output, 340730 bytes
Bound to:
Virtual-Access1 is up, line protocol is up
Hardware is Virtual Access interface
MTU 1500 bytes, BW 56 Kbit/sec, DLY 20000 usec,
reliability 255/255, txload 81/255, rxload 67/255
Encapsulation PPP, LCP Open
Open: IPCP
PPPoE vaccess, cloned from Dialer0
Vaccess status 0x44, loopback not set
Keepalive set (10 sec)
DTR is pulsed for 5 seconds on reset
Interface is bound to Di0 (Encapsulation PPP)
Last input 00:00:00, output never, output hang never
Last clearing of "show interface" counters 00:02:39
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 401000 bits/sec, 41 packets/sec
5 minute output rate 18000 bits/sec, 18 packets/sec
12281 packets input, 16894257 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
4807 packets output, 341144 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
FastEthernet0 is up, line protocol is down
Hardware is Fast Ethernet, address is 0026.0ba6.e9f4 (bia 0026.0ba6.e9f4)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto-duplex, Auto-speed
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
FastEthernet1 is up, line protocol is down
Hardware is Fast Ethernet, address is 0026.0ba6.e9f5 (bia 0026.0ba6.e9f5)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto-duplex, Auto-speed
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
FastEthernet2 is up, line protocol is down
Hardware is Fast Ethernet, address is 0026.0ba6.e9f6 (bia 0026.0ba6.e9f6)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto-duplex, Auto-speed
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
FastEthernet3 is up, line protocol is down
Hardware is Fast Ethernet, address is 0026.0ba6.e9f7 (bia 0026.0ba6.e9f7)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto-duplex, Auto-speed
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
FastEthernet4 is up, line protocol is up
Hardware is PQII_PRO_UEC, address is 0026.0ba6.e9f8 (bia 0026.0ba6.e9f8)
Description: $ES_WAN$$FW_OUTSIDE$
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:02:40, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 408000 bits/sec, 41 packets/sec
5 minute output rate 18000 bits/sec, 18 packets/sec
12354 packets input, 17233288 bytes
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
4849 packets output, 440539 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
2 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
NVI0 is up, line protocol is up
Hardware is NVI
Interface is unnumbered. Using address of wlan-ap0 (0.0.0.0)
MTU 1514 bytes, BW 56 Kbit/sec, DLY 5000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation UNKNOWN, loopback not set
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
Virtual-Access1 is up, line protocol is up
Hardware is Virtual Access interface
MTU 1500 bytes, BW 56 Kbit/sec, DLY 20000 usec,
reliability 255/255, txload 81/255, rxload 67/255
Encapsulation PPP, LCP Open
Open: IPCP
PPPoE vaccess, cloned from Dialer0
Vaccess status 0x44, loopback not set
Keepalive set (10 sec)
DTR is pulsed for 5 seconds on reset
Interface is bound to Di0 (Encapsulation PPP)
Last input 00:00:00, output never, output hang never
Last clearing of "show interface" counters 00:02:40
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 401000 bits/sec, 41 packets/sec
5 minute output rate 18000 bits/sec, 18 packets/sec
12409 packets input, 17070420 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
4856 packets output, 344852 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
Vlan1 is up, line protocol is up
Hardware is EtherSVI, address is 0026.0ba6.e9f4 (bia 0026.0ba6.e9f4)
Description: $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
Internet address is 192.168.1.1/24
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 20000 bits/sec, 22 packets/sec
5 minute output rate 292000 bits/sec, 37 packets/sec
5288 packets input, 469871 bytes, 0 no buffer
Received 85 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
9166 packets output, 12421619 bytes, 0 underruns
0 output errors, 1 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
Wlan-GigabitEthernet0 is up, line protocol is up
Hardware is WLAN Gigabit Ethernet, address is 0026.0ba6.e9f8 (bia 0026.0ba6.e9f8)
Description: Internal switch interface connecting to the embedded AP
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:39, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 21000 bits/sec, 22 packets/sec
5 minute output rate 292000 bits/sec, 36 packets/sec
5507 packets input, 514638 bytes, 0 no buffer
Received 190 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
9126 packets output, 12401933 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
3 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
wlan-ap0 is up, line protocol is up
Hardware is wlan-ap, address is 0000.0000.0000 (bia 0000.0000.0000)
Description: Service module interface to manage the embedded AP
Interface is unnumbered. Using address of Vlan1 (192.168.1.1)
MTU 1514 bytes, BW 8000000 Kbit/sec, DLY 5000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation LOOPBACK, loopback not set
ARP type: ARPA, ARP Timeout 00:00:00
Last input 00:02:40, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
1 packets output, 28 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide