07-24-2013 10:01 PM - edited 03-11-2019 07:16 PM
Hi, Cisco 7201, IOS:
Cisco IOS Software, 7200 Software (C7200P-ADVENTERPRISEK9-M), Version 15.0(1)M8, RELEASE SOFTWARE (fc1)
I have implemented zone based firewall with LAN 2 INET policy like:
class-map type inspect match-any CLASS_LAN2INET
match protocol http
match protocol https
match protocol tcp
match protocol udp
match protocol tcp
policy-map type inspect LAN2INET
class type inspect CLASS_LAN2INET
inspect
class class-default
pass
!
many downloads gets stalled, slowed down, sky.fm radio plays with pauses, youtube page get loaded but videos not played.
some (some!) dowloads proceed without problems, like http://ftp.freebsd.org
web pages gets opened mostly without problem
First i blamed ISP, they checked their side and didn't find any problems.
Then is disabled firewall (should have to try it first) and everything started to work like a charm.
Then i narrowed down to removing "match protocol http".
If not use "match protocol http", everything works ok.
Is it a bug, is there a fix? any options to tweak "http"?
07-30-2013 08:29 PM
Because the firewall is lettting you know that......
Where?
Log message states session details, not single packet direction.
07-30-2013 11:03 PM
So eventough the router let;s you know the OOO packets are from LAN->INET you still think they are from INET-LAN
Well, I think my time is done here (I have answered like 20 times, not a single point ) but that's okey...
Cheers,
Julio Carvajal Segura
07-31-2013 02:24 AM
Here is your points, but. Don't get me wrong, i want to get deep into this problem.
So eventough the router let;s you know the OOO packets are from LAN->INET you still think they are from INET-LAN
Router said:
session 10.10.10.128:55548 to 46.61.155.145:80 on zone-pair zp_LAN2INET class zbfc_INSPECT_OUT
It was Session created by zone-pair and class.
But it also stated that:
Dropping TCP Segment: seq:1998720862 1500 bytes
There is no single byte of data being send to youtube except for empty data ACK packets. Which tells us its INET->LAN direction.
07-31-2013 10:12 AM
Hello Utair,
You told my that the PC is directly connected to the router right?
If that's correct you are right, it does not make sense!!
Looks like the router is showing information incorrectly
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
10-14-2013 04:43 AM
Come to URL filtering and stuck with this problem again. URL filtering requires "match protocol http" in class-map and there is no way i could influence our service provider to even try resolving out-of-order packets problem. They are biggest national ISP and has worst helpdesk ever.
Is there a way to fine-tune inspection engine to just ignore out-of-order problem?
10-14-2013 06:14 AM
Hello Utair,
The only way to ignore those packets it's by no inspecting the traffic (using pass) but if you do that then you will not be able to use a L7 policy-map.
As we have spoke before the parameter-map is the only variable available for such traffic.
Regards,
Jcarvaja
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide