Solved: Re: ZBF - Inspection slows down HTTP Downloads

fernandoseidler · ‎03-09-2011

Hi,

I Have a 2821 Router with a IOS Version 12.4(13r)T.

When i enabled the firewall, my download speed slows down to 10-20kbps (the normal is 5-6 Mbps).

Anyone can help?

Thanks

--

Fernando

its.hospitality · ‎04-07-2011

We had the same issue with ZBF and HTTP downloads using a "fast" WAN line (~10 mbps).

I fixed it by increasing the size of the OOO queue and the allocated memory:

1) check your current values:

show parameter-map type ooo global

2) Apply higher values for queue length and memory limit. I am fine with the following:

conf t

parameter-map type ooo global

tcp reassembly queue length 200

tcp reassembly memory limit 4096

Cheers,

Matteo

View solution in original post

praiyeng · ‎03-09-2011

hi ,

Provide the complete ZBF config and enable the following command " ip inspect log drop-pkt"

this would display the log which explains if there is a packet drop due to zbf

fernandoseidler · ‎03-09-2011

i've send the config by message...

praiyeng · ‎03-09-2011

I havent recieved any message yet

fernandoseidler · ‎03-09-2011

i'm sending the zbf configuration

i've erased the acl rules...

fernandoseidler · ‎03-09-2011

The ZBF is dropping the packets:

Mar 9 15:52:02: %FW-6-DROP_PKT: Dropping tcp session 200.237.193.51:80 my_ip_address:44520 due to Out-Of-Order Segment with ip ident 0

any idea?

PAUL GILBERT ARIAS · ‎03-09-2011

Fernando, have you tried disabling http inspection just to make check if that is the issue?

its.hospitality · ‎04-07-2011

We had the same issue with ZBF and HTTP downloads using a "fast" WAN line (~10 mbps).

I fixed it by increasing the size of the OOO queue and the allocated memory:

1) check your current values:

show parameter-map type ooo global

2) Apply higher values for queue length and memory limit. I am fine with the following:

conf t

parameter-map type ooo global

tcp reassembly queue length 200

tcp reassembly memory limit 4096

Cheers,

Matteo

fernandoseidler · ‎04-07-2011

Hi Matteo,

Thank you VERY MUCH!

The solution works perfectly...

Downloads are OK now...

Thanks!

Fernando

its.hospitality · ‎04-13-2011

Thanks for your message; we have created a ticket with the id "[scescs #1244875]" for your request.

There is no need to reply to this message right now. However if you reply, please use in the subject line. That allows us to attach your reply to the ticket.

Sincerely,

your IT Support Team

blumoorpheus · ‎05-19-2011

Hi,

i have the same problem fernando, but, on the Cisco 877, the parameter (parameter-map type ooo global) does not work.

My ios is 12.4(24).T4

L'help for the command "parameter-map type" is:

Avezzano(config)#parameter-map type ?
                           consent        Parameter type consent
                           inspect        inspect parameter-map
                           protocol-info protocol-info parameter-map
                           regex          regex parameter-map
                           trend-global   Trend global parameter-map
                           urlf-glob      URLF glob parameter-map
                           urlfpolicy     Parameter maps for urlfilter policy

Pls help me.

X Matteo Castelli

cioa Matteo, vedo che sei italiano.

Come ho detto sopra i comandi da te specificati, nell'877 non funzionano.

Hai idea di come aumentare la coda e la quantità di memoria su questo router?

fernandoseidler · ‎05-19-2011

Hi Franco

It appears that command "parameter-map type ooo..." was introduced in IOS 15.0(1)M. Before that, the out-of-order packet processing was only supported in the classic firewall, not Zone Based Firewall.

If you upgrade your IOS, the command will work...

Sorry for my english...