03-16-2019 05:56 PM - edited 03-16-2019 05:59 PM
Cisco 3825 routing two vlans. ZBF setup between the two vlans to only allow ssh/http/https. Connections are working but when ssh'd into server the session "locks up" for a short period. I can most easily see this when in a session I have the server do a persistent ping to its gateway IP. They reply but periodically the replies stop, then continue. When they continue the icmp_seq counter has no gaps. It's like the screen stops painting because no replies are missed, just the running output is suspended temporarily. It lasts about 10-20 seconds from what I can tell. The sessions also close unexpectedly and (so far) I cannot correlate it to inactivity.
Question is, does this sound like something related to ZBF? I have a persistent ping running from a PC in vlan 100 to the outside and it does NOT suffer the lock-ups. That route traverses a different ZBF pair through this same router. FWIW - I tried replacing the target server to rule out the unit and it also suffers the same.
The intent is to allow only vlan 100 hosts to connect to the host at 172.26.214.3 using ssh/http/https. I'm no ZBF Yoda so maybe there's a better way to code this?
Thanks for any help.
class-map type inspect match-all ACCESS-TO-HTTP-80-CMAP match access-group name LAN-TO-HTTP match protocol http class-map type inspect match-all ACCESS-TO-HTTP-22-CMAP match access-group name LAN-TO-HTTP match protocol ssh class-map type inspect match-all ACCESS-TO-HTTP-443-CMAP match access-group name LAN-TO-HTTP match protocol https policy-map type inspect ACCESS-TO-HTTP-PMAP class type inspect ACCESS-TO-HTTP-80-CMAP inspect class type inspect ACCESS-TO-HTTP-443-CMAP inspect class type inspect ACCESS-TO-HTTP-22-CMAP inspect class class-default drop ! zone security LAN zone security HTTP ! zone-pair security LAN-TO-HTTP source LAN destination HTTP service-policy type inspect ACCESS-TO-HTTP-PMAP ! interface GigabitEthernet2/0.100 description user_vlan encapsulation dot1Q 100 ip address 192.168.1.2 255.255.255.0
ip nat inside
ip virtual-reassembly zone-member security LAN ! interface GigabitEthernet2/0.443 description webserver_vlan encapsulation dot1Q 443 ip address 172.26.214.2 255.255.255.248 ip nat inside ip virtual-reassembly zone-member security HTTP ! ip access-list extended LAN-TO-HTTP permit ip 192.168.1.0 0.0.0.255 host 172.26.214.3
Solved! Go to Solution.
03-17-2019 12:56 AM
Fixed the issue with an IOS update. There were no specific points in release notes about this but it fixed it. Now running c3750-advipservicesk9-mz.122-46.SE.bin Or maybe it was the fourth reset.
03-17-2019 12:56 AM
Fixed the issue with an IOS update. There were no specific points in release notes about this but it fixed it. Now running c3750-advipservicesk9-mz.122-46.SE.bin Or maybe it was the fourth reset.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide