ZBF, "match protocol http" makes youtube and some other sites un - Page 2

Utair Corporation · ‎07-24-2013

Hi, Cisco 7201, IOS:

Cisco IOS Software, 7200 Software (C7200P-ADVENTERPRISEK9-M), Version 15.0(1)M8, RELEASE SOFTWARE (fc1)

I have implemented zone based firewall with LAN 2 INET policy like:

class-map type inspect match-any CLASS_LAN2INET

match protocol http

match protocol https

match protocol tcp

match protocol udp

match protocol tcp

policy-map type inspect LAN2INET

class type inspect CLASS_LAN2INET

inspect

class class-default

pass

!

many downloads gets stalled, slowed down, sky.fm radio plays with pauses, youtube page get loaded but videos not played.

some (some!) dowloads proceed without problems, like http://ftp.freebsd.org

web pages gets opened mostly without problem

First i blamed ISP, they checked their side and didn't find any problems.

Then is disabled firewall (should have to try it first) and everything started to work like a charm.

Then i narrowed down to removing "match protocol http".

If not use "match protocol http", everything works ok.

Is it a bug, is there a fix? any options to tweak "http"?

Utair Corporation · ‎07-30-2013

Because the firewall is lettting you know that......

Where?

Log message states session details, not single packet direction.

Julio Carvajal · ‎07-30-2013

So eventough the router let;s you know the OOO packets are from LAN->INET you still think they are from INET-LAN

Well, I think my time is done here (I have answered like 20 times, not a single point ) but that's okey...

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Utair Corporation · ‎07-31-2013

Here is your points, but. Don't get me wrong, i want to get deep into this problem.

So eventough the router let;s you know the OOO packets are from LAN->INET you still think they are from INET-LAN

Router said:

session 10.10.10.128:55548 to 46.61.155.145:80 on zone-pair zp_LAN2INET class zbfc_INSPECT_OUT

It was Session created by zone-pair and class.

But it also stated that:

Dropping TCP Segment: seq:1998720862 1500 bytes

There is no single byte of data being send to youtube except for empty data ACK packets. Which tells us its INET->LAN direction.

Julio Carvajal · ‎07-31-2013

Hello Utair,

You told my that the PC is directly connected to the router right?

If that's correct you are right, it does not make sense!!

Looks like the router is showing information incorrectly

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Utair Corporation · ‎10-14-2013

Come to URL filtering and stuck with this problem again. URL filtering requires "match protocol http" in class-map and there is no way i could influence our service provider to even try resolving out-of-order packets problem. They are biggest national ISP and has worst helpdesk ever.

Is there a way to fine-tune inspection engine to just ignore out-of-order problem?

Julio Carvajal · ‎10-14-2013

Hello Utair,

The only way to ignore those packets it's by no inspecting the traffic (using pass) but if you do that then you will not be able to use a L7 policy-map.

As we have spoke before the parameter-map is the only variable available for such traffic.

Regards,

Jcarvaja

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ZBF, "match protocol http" makes youtube and some other sites unusable