Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2290
Views
0
Helpful
9
Replies

Zone based firewall slowing downloads

mbluemel
Level 1
Level 1

‎02-07-2012 04:50 AM - edited ‎03-11-2019 03:25 PM

I have a customer with an 877 series router with a zone-based firewall configuration. If they try to download anything the speed slows to a crawl and becomes almost unresponsive. I have tested with the zone pairs unapplied and it is fine. Can anyone point out what I need to remove/change from this config to improve things? Many thanks in advance.

Labels:
121923-tpastac.txt.zip
0 Helpful
9 Replies 9

Maykol Rojas
Cisco Employee
Cisco Employee

‎02-07-2012 06:46 AM

If they are http downloads, you can try to remove the http inspections on your policy.

class-map type inspect match-any ccp-cls-insp-traffic

no match protocol http

policy-map type inspect ccp-inspect

no class type inspect ccp-protocol-http

Then, if the issue persist, you can enable the logs of Zone based to see if packets are being dropped

router(config)# ip inspect log drop-pkt

Then enable the logs and see what appears there, if you get drops due to straight segment mostlikely they are Out of Order packets and you will need to double check the link with your ISP. Other logs may tell you that they are indeed out of order packets.

The reason why it works with the Zone based off, is because (if the root cause is out of order and not just the inspection causing delay) the Router dont care if the packets come out of Order, it is just in charge of routing them.

Let me know if you have questions.

Mike

Mike
0 Helpful

mbluemel
Level 1
Level 1
In response to Maykol Rojas

‎02-07-2012 07:58 AM

Thanks for the reply. I am sure I have tried removing the inspection and it didnt help. I will try it again tomorrow just in case. I will let you know how I get on.

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to mbluemel

‎02-07-2012 08:17 AM

Fair enough,

Keep me updated.

Mike

Mike
0 Helpful

mbluemel
Level 1
Level 1
In response to Maykol Rojas

‎02-09-2012 06:33 AM

I tried taking the http inspection rules out and had the same problem.

debug messages :

000168: Feb  9 14:26:06.108 gmt: %FW-6-DROP_PKT: Dropping tcp session 195.74.103.133:33032 192.168.1.1:25  due to  Out-Of-Order Segment with ip ident 0

000169: Feb  9 14:26:36.156 gmt: %FW-6-DROP_PKT: Dropping tcp session 173.194.41.130:80 192.168.1.11:53846  due to  Out-Of-Order Segment with ip ident 0

000170: Feb  9 14:27:06.459 gmt: %FW-6-DROP_PKT: Dropping tcp session 195.74.103.133:33032 192.168.1.1:25  due to  Out-Of-Order Segment with ip ident 0

000171: Feb  9 14:27:36.823 gmt: %FW-6-DROP_PKT: Dropping tcp session 173.194.41.131:80 192.168.1.11:53823  due to  Out-Of-Order Segment with ip ident 0

000172: Feb  9 14:28:08.007 gmt: %FW-6-DROP_PKT: Dropping tcp session 173.194.41.130:80 192.168.1.11:53897  due to  Out-Of-Order Segment with ip ident 0

000173: Feb  9 14:28:46.336 gmt: %FW-6-DROP_PKT: Dropping tcp session 61.206.117.4:56336 192.168.1.1:25  due to  Retransmitted Segment with Invalid Flags with ip ident 0

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to mbluemel

‎02-09-2012 12:47 PM

Just what I suspected. Would you be able to contact your Carrier and check their circuit?

Mike

Mike
0 Helpful

mbluemel
Level 1
Level 1
In response to Maykol Rojas

‎02-10-2012 12:25 AM

Hi Mike. I found this thread and think it may be the answer to my problem. I am going to try and give it a try in the next few days. I am very busy at the moment and going on leave next week so cannot guarantee it will be done next week but I will let you know how it goes.

http://www.dslreports.com/forum/remark,24332834

Thanks for your assistance with this.

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to mbluemel

‎02-10-2012 02:46 PM

If I am not mistaken, that parameter map for OoO packets is available on version 15 and higher, it may alleviate the issue, (never worked for me thou) but, if it does, then great. Let me know how it goes.

Mike.

Mike
0 Helpful

mbluemel
Level 1
Level 1
In response to Maykol Rojas

‎02-16-2012 06:51 AM

Not an option to upgrade unfortunately. Not enough ram or flash on the router.

Looks like we will have to rebuild the router without the zone based firewall.

Oh well. Thanks for your input anyway.

0 Helpful

nickbrooker
Level 1
Level 1

‎06-28-2012 11:55 AM

Hi, I had exactly the same experience on an SR520 (basically an 877 with a different case) so maybe the 877 is not up to ZBFW but having said that the CPU never really broke a sweat.  Speedtest just showed up and downloaded running about 25% of what they did on the classic firewall.

This is our home router so we had a chance to play but I couldn't get the performace to match the classic so we're back on that. Might be a software version thing.  I don't have smartnet so I can't test this.

Nick

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card