02-07-2012 04:50 AM - edited 03-11-2019 03:25 PM
I have a customer with an 877 series router with a zone-based firewall configuration. If they try to download anything the speed slows to a crawl and becomes almost unresponsive. I have tested with the zone pairs unapplied and it is fine. Can anyone point out what I need to remove/change from this config to improve things? Many thanks in advance.
02-07-2012 06:46 AM
If they are http downloads, you can try to remove the http inspections on your policy.
class-map type inspect match-any ccp-cls-insp-traffic
no match protocol http
policy-map type inspect ccp-inspect
no class type inspect ccp-protocol-http
Then, if the issue persist, you can enable the logs of Zone based to see if packets are being dropped
router(config)# ip inspect log drop-pkt
Then enable the logs and see what appears there, if you get drops due to straight segment mostlikely they are Out of Order packets and you will need to double check the link with your ISP. Other logs may tell you that they are indeed out of order packets.
The reason why it works with the Zone based off, is because (if the root cause is out of order and not just the inspection causing delay) the Router dont care if the packets come out of Order, it is just in charge of routing them.
Let me know if you have questions.
Mike
02-07-2012 07:58 AM
Thanks for the reply. I am sure I have tried removing the inspection and it didnt help. I will try it again tomorrow just in case. I will let you know how I get on.
02-07-2012 08:17 AM
Fair enough,
Keep me updated.
Mike
02-09-2012 06:33 AM
I tried taking the http inspection rules out and had the same problem.
debug messages :
000168: Feb 9 14:26:06.108 gmt: %FW-6-DROP_PKT: Dropping tcp session 195.74.103.133:33032 192.168.1.1:25 due to Out-Of-Order Segment with ip ident 0
000169: Feb 9 14:26:36.156 gmt: %FW-6-DROP_PKT: Dropping tcp session 173.194.41.130:80 192.168.1.11:53846 due to Out-Of-Order Segment with ip ident 0
000170: Feb 9 14:27:06.459 gmt: %FW-6-DROP_PKT: Dropping tcp session 195.74.103.133:33032 192.168.1.1:25 due to Out-Of-Order Segment with ip ident 0
000171: Feb 9 14:27:36.823 gmt: %FW-6-DROP_PKT: Dropping tcp session 173.194.41.131:80 192.168.1.11:53823 due to Out-Of-Order Segment with ip ident 0
000172: Feb 9 14:28:08.007 gmt: %FW-6-DROP_PKT: Dropping tcp session 173.194.41.130:80 192.168.1.11:53897 due to Out-Of-Order Segment with ip ident 0
000173: Feb 9 14:28:46.336 gmt: %FW-6-DROP_PKT: Dropping tcp session 61.206.117.4:56336 192.168.1.1:25 due to Retransmitted Segment with Invalid Flags with ip ident 0
02-09-2012 12:47 PM
Just what I suspected. Would you be able to contact your Carrier and check their circuit?
Mike
02-10-2012 12:25 AM
Hi Mike. I found this thread and think it may be the answer to my problem. I am going to try and give it a try in the next few days. I am very busy at the moment and going on leave next week so cannot guarantee it will be done next week but I will let you know how it goes.
http://www.dslreports.com/forum/remark,24332834
Thanks for your assistance with this.
02-10-2012 02:46 PM
If I am not mistaken, that parameter map for OoO packets is available on version 15 and higher, it may alleviate the issue, (never worked for me thou) but, if it does, then great. Let me know how it goes.
Mike.
02-16-2012 06:51 AM
Not an option to upgrade unfortunately. Not enough ram or flash on the router.
Looks like we will have to rebuild the router without the zone based firewall.
Oh well. Thanks for your input anyway.
06-28-2012 11:55 AM
Hi, I had exactly the same experience on an SR520 (basically an 877 with a different case) so maybe the 877 is not up to ZBFW but having said that the CPU never really broke a sweat. Speedtest just showed up and downloaded running about 25% of what they did on the classic firewall.
This is our home router so we had a chance to play but I couldn't get the performace to match the classic so we're back on that. Might be a software version thing. I don't have smartnet so I can't test this.
Nick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide