Traffice problems Cisco 2801 w/ IOS Firewall

curtis · ‎01-28-2005

I have about 300 users going through a Cisco 2801 router with IOS Firewall to get to the internet. All of these users have to go through a proxy server to get to the internet and that server sits on the other side of the T1 from this router. So, I have numerous connections to the proxy server going through this router at one time. The internet at times is slow or sometimes non responsive when I have ip inspect and access lists enabled. When I take the ip inspect and access lists off the interfaces everything seems to work normally. I have tweeked the one-minutes max high to 2500 and low to 1000, because I was getting warnings from the logs saying the one-minute thresholds have been met. Is bypassing all source LAN traffic from being inspected when the destination is the Proxy server across the T1 a good idea or is that even possible? If so how do you do that?

Config is attached.

vlad.dercaci · ‎02-01-2005

Your problem seems to be that max threshold is to low and probably sometimes the conections are droped. Try a higher one minute max. I dont think that bypass should be the solution.The ideea is to control the flow through internet. So try a higher max high one-minute and in order to avoid CPU overloading and DoS attacks tweak max-incomplete conections high to a decent limit. (look in whitepapers to see max connections suported by your router - but don't set it that limit - max incomplete + one minute high - more than 70% ) And be sure that your output from your clients are on ports higher than 1024.