Performance Issue Suspected with Zones and Inspect Configuration - Page 3

jaesposito · ‎06-15-2011

All,

I suspect that I am experiencing performance issues related to my firewall zone configuration AND/OR the inspection being done on packets. With that in mind, I have two basic questions based on my attached configuration:

1.) In looking at my configuration, what purpose do these default firewall zones AND inspect commands have for this router, which I am using on a plain DSL connection in my home?

2.) Could any part of this configuration be responsible for slowing down some of my home devices such as my AppleTV for streaming Netflix, YouTube?

The router is a 881W and is running 12.4.24.T5. If you feel that any parts of this configuration are unnecessary and might be contributing to my performance issues, please feel free to chime in.

Thank you for the help!

James E

Maykol Rojas · ‎06-20-2011

Hi,

I will say there is no need to.... at this point Lets go ahead and focus on the other drops.

Mike

jaesposito · ‎06-20-2011

Maykol:

At a high level, over a a nine hour period, there were over 300 entries of sessions dropped by INSPECT. While no unusual interruptions were experienced by my devices, I'm struggling to understand why INSPECT would drop these sessions at all. There were dozens of sessions by my consumer devices that had packets dropped. Below are just a few examples where I drilled down into the details.

I'm interested to hear your thoughts.

James

------------------------

Apple iPad using Safari to search on Google.

While the search isnt visibly impacted on the iPad, the inspect is dropping packets related HTTP sessions:

001432: Jun 20 22:22:42.970 PCTime: %FW-6-DROP_PKT: Dropping tcp session 173.194.8.208:80 192.168.1.103:54659 due to Stray Segment with ip ident 0

001433: Jun 20 22:23:13.158 PCTime: %FW-6-DROP_PKT: Dropping tcp session 173.194.8.208:80 192.168.1.103:54686 due to Stray Segment with ip ident 0

001434: Jun 20 22:23:45.250 PCTime: %FW-6-DROP_PKT: Dropping tcp session 192.168.1.103:54699 173.194.8.208:80 on zone-pair ccp-zp-in-out class ccp-insp-traffic due to Stray Segment with ip ident 0

001435: Jun 20 22:24:15.710 PCTime: %FW-6-DROP_PKT: Dropping tcp session 192.168.1.103:54711 173.194.8.208:80 on zone-pair ccp-zp-in-out class ccp-insp-traffic due to Stray Segment with ip ident 0

001436: Jun 20 22:24:52.018 PCTime: %FW-6-DROP_PKT: Dropping tcp session 192.168.1.103:54719 173.194.8.208:80 on zone-pair ccp-zp-in-out class ccp-insp-traffic due to Stray Segment with ip ident 0

Apple iPhone pinging DHCP provided DNS Servers

It appears that an application on the Apple iPhone is attempting to ping the DNS Servers that were provided via DHCP. I'm not sure why the firewall would care to drop these attempts since pings from the inside to outside are permitted.

001252: Jun 20 18:45:51.819 PCTime: %FW-6-DROP_PKT: Dropping icmp session 192.168.1.101:0 205.152.132.23:0 on zone-pair ccp-zp-in-out class ccp-insp-traffic with ip ident 0

001253: Jun 20 18:46:22.251 PCTime: %FW-6-DROP_PKT: Dropping icmp session 192.168.1.101:0 205.152.132.23:0 on zone-pair ccp-zp-in-out class ccp-insp-traffic with ip ident 0

001254: Jun 20 18:46:53.703 PCTime: %FW-6-DROP_PKT: Dropping tcp session 72.21.91.19:80 192.168.1.101:51393 on zone-pair ccp-zp-in-out class ccp-insp-traffic due to Stray Segment with ip ident 0

001255: Jun 20 18:47:33.255 PCTime: %FW-6-DROP_PKT: Dropping icmp session 192.168.1.101:0 205.152.132.23:0 on zone-pair ccp-zp-in-out class ccp-insp-traffic with ip ident 0

Desktop Surfing of ebay.com

Again, not sure why INSPECT is dropping these packets:

001323: Jun 20 20:44:27.991 PCTime: %FW-6-DROP_PKT: Dropping tcp session 80.12.192.107:80 192.168.1.107:50946 due to SYN inside current window with ip ident 0

001325: Jun 20 20:47:41.983 PCTime: %FW-6-DROP_PKT: Dropping tcp session 80.12.192.105:80 192.168.1.107:50965 due to SYN inside current window with ip ident 0

Maykol Rojas · ‎06-20-2011

Hi James!

I am glad to hear that no issues with jitter anymore, however, this is disturbing. Reading from the document of Cisco:

SYN inside current window:

A synchronization packet is seen within the window of an already established TCP connection.

Stray Segment

A TCP segment is received that should not have been received through the TCP state machine such as a TCP SYN packet being received in the listen state.

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i2.html#wp1048887

Now, this may not be as explicit as other versions, but all of these packets with stray segment, Im starting thinking that they could be the same out of order packets.

Maybe this version handles better the ones that comes on port 80 with streaming than the ones that come from other port 80 sessions.

In any case, we can confirm this if you put the commands for OoO packets that I gave you.

Try that out and let me know.

Mike Rojas

Mike

jaesposito · ‎06-20-2011

Ok. I applied these rules:

parameter-map type ooo global

tcp reassembly memory limit 2048

tcp reassembly queue length 85

tcp reassembly timeout 54

As well, I attached my updated config to this note. Take a look.

Let's see how the config change works tomorrow. I'll circle back tomorrow night and let you know.

Thanks,

James

Maykol Rojas · ‎06-20-2011

Excellent, keep me posted.

Mike

jaesposito · ‎06-21-2011

Mike,

It looks like we are still experiencing some drops due to INSPECT from the inside to outside. At a summary level, here is what we are seeing:

due to Stray Segment with ip ident 0

due to SYN inside current window with ip ident 0

These drops are occurring with no visible impact during computer HTTP and HTTPS web surfing (port 80 and 443).

Attached are the details. Let me know what you think.

James E

Maykol Rojas · ‎06-22-2011

Weird, the debug policy firewall works now, can you please do it?

Mike

jaesposito · ‎06-22-2011

I'm sorry. I do not understand.

What would you like me to do?

James

Maykol Rojas · ‎06-22-2011

Duh! I guess I didnt tell you about that yet, I thought I had. Please do the following:

access-list 140 permit ip any host *

debug policy-firewall list 140

debug policy-firewall protocol tcp

debug policy-firewall protocol http

debug policy-firewall events

debug policy-firewall detail

*The IP address of a website that you have troubles with streaming via HTTP.

Cheers.

Mike

jaesposito · ‎06-22-2011

Mike,

I implemented the original access-list 140 with a number of ip addresses but couldnt not seem to hit them exactly. This is probably difficult to accomplish when using such large sites like Yahoo, Google and YouTube who have hundreds of ip addresses in their networks.

None the less, I did configure the access-list with my local computer's private ip address, enabled the debug commands and surfed to some of the websites to see if we could generate some interesting debug information to help us further troubleshoot INSPECT dropping the packets. I've attached that output to this email.

Let me know if you see anything that helps us further troubleshoot or if you need another sample.

Thanks.

James

Maykol Rojas · ‎06-23-2011

Is the inspection for HTTP off at this point? Or did you put it back again?

Can you paste the latest running config?

Mike

jaesposito · ‎06-23-2011

I did not change any of the INSPECT or the zone based firewall config. I only added the access-list 140 and enabled the "debug" commands at the # prompt.

I can post the running config late tonight if needed.

James

Maykol Rojas · ‎06-23-2011

Please do, I think I have something in mind.

Mike

jaesposito · ‎06-23-2011

Running config attached.

jaesposito · ‎06-27-2011

Mike,

Did you get a chance to review my latest config? I'm interested to hear what you have in mind.

Thanks!

James E