Hi,

Did many debugs but don't know how to explain data.

In log, I have some Drop pkt

But users claim for long and variable web response times.

Everyone,

Sorry for jumping late in the discussion. The best deal with CBAC is to use the latest code 12.4(6)T and it has performance ehancement for IPS and FW as well.

There are few things to consider

a) DOS protection settings

b) http inspection policy

c) DNS inpsection policy

If you turn on CBAC these dos protection settings get activated and the default values are very low. There is a procedure how to tune the DOS setting in the below reference FW design guide

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_implementation_design_guide09186a00800fd670.html

b) If your firewall policy have "inspect" http then please use the java-acl to bypass java inspection. Turning on http protocol in policy means u are inspecting java contents in return path. This is also mentioned in the design guide

c) use generic udp instead of "inpsect dns" keyword in the firewall policy. There is a bug which eats up some performance cycles.

d) Use "show ip inspect statistics" command to verify that your firewall is inspecting everything in CEF mode rather than "process mode"

Hope that it will help.

Thanks and Regards

Arshad Saeed

Hi all,

thanks for such good discussion. Arshad thanks

for url. Ill read it carefully because next week

Ill implement CBAC again.What do you think about

version 12.4.7a? How I can switch between CEF and process mode in Cisco 2821? I didnt configure generic udp command ..what does it mean?

Thanks a lot for help.

BR

jl

Hi,

Happy to ear something.

I am in 12.4(7) on 2821.

I saw somewhere that CBAC was treated in Fast or process switching mode but it is not true.

I already have 'ip cef' in conf and cbac works but slowly when many outbound conns (I suppose) and can't explain for now.

Is 12.4(7a) better for cbac ?

you must have

ip inspect FW udp

ip inspect FW tcp

ip inspect FW

int

ip access-group acl_Inside in

....

int

ip access-group acl_Outside in

ip inspect FW out

....

in order to run CBAC from to

UDP and TCP are level4 generic session inspection but if you have specific needs (ftp, http, url filtering, smtp) you must add these, particularly when reverse channel(s) are derived from app level (ie ftp with port command).

Hi,

this is not good that in latest IOS, CBAC slower

traffic again. Why you have to configure ACL on inside interface?

BR

jl

I want to filter inside outbound trafic but you can allow all.

Do you know how to solve slow cbac performance ?

I am in 12.4(7) on 2821.

seems cbac runs in process/fast switching but not cef.

sh ip insp stat

Packet inspection statistics [process switch:fast switch]

tcp packets: [6398905:116684444]

udp packets: [1906616:7587577]

smtp packets: [2087:111222]

http packets: [15815:22422444]

ftp packets: [366931:0]

realaudio packets: [655:0]

dns packets: [34333:185230]

pop3 packets: [344948:0]

Interfaces configured for inspection 11

Session creations since subsystem startup or last reset 3423161

Current session counts (estab/half-open/terminating) [226:4:13]

Maxever session counts (estab/half-open/terminating) [604:139:396]

Last session created 00:00:00

Last statistic reset never

Last session creation rate 863

Last half-open session total 4

Half-open session count or session creation rate exceeded

Hi,

Here is what you can do to improve the performance

In your policy I see you're using "http" inspection however thats causing alot of java applet inspection

ip inspect name myfirewall http java-list 102

access-list 102 permit ip any any

The above will help you to fix this java blocking performance issue.

Another thing I see you have DNS keyword in inspection, instead of DNS use "udp" that will help to save CPU cycles there is a bug if you enable "DNS" keyword it eats cpu cycles.So it should be

ip inspect name myfirewall udp

or you don't want to permit all udp then you need to use outbound ACL.

Few another questions which interface you have applied the firewall policy ?

So about cef switching and CBAC (this term is not used anymore and its IOS Firewall since its been transformed into application level firewall).

Cef is generally enable on ISRs and its recommended to have it activated. "ip cef" is the command.

Now how IOS Firewall used this path is different thing, we have recently switched all the inspection to CEF path. If some protocols are not being cef switched and are shown in "show ip inspect statistics" then there could be another factors associated with it. Some other features may be causing formerly called CBAC to take the process path which it shouldn't do.

Best thing if you see lots of packets which I can see in your case FTP,real audio and pop3 going in process path. Open TAC case to check what's causing this. ( Could be bug).

There is no configuration requirement to switch the CBAC to inspect in cef path or process path. Just need cef to be enable globally.

Thanks and hope that will help. (Don't forget to read the design guide of Cisco IOS Firewall which I mentioned in one reply

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_implementation_design_guide09186a00800fd670.html

Q&A

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_qanda_item09186a008010a40e.shtml

Regards

Arshad Saeed

Hi,

Thank for advices.

My 2821 is in 12.4(7) standard train release

I have :

access-list 10 permit any

ip cef

ip inspect log drop-pkt

ip inspect one-minute high 1000

ip inspect hashtable-size 8192

ip inspect tcp idle-time 900

ip inspect name Cbac_Sortant udp timeout 15

ip inspect name Cbac_Sortant tcp timeout 3600

ip inspect name Cbac_Sortant sqlnet

ip inspect name Cbac_Sortant sqlsrv

ip inspect name Cbac_Sortant sqlserv

ip inspect name Cbac_Sortant https

ip inspect name Cbac_Sortant esmtp

ip inspect name Cbac_Sortant realaudio

ip inspect name Cbac_Sortant ftp

ip inspect name Cbac_Sortant pptp

ip inspect name Cbac_Sortant pop3

ip inspect name Cbac_Sortant http java-list 10 urlfilter timeout 900

ip inspect name Cbac_Dmz tcp

ip inspect name Cbac_Dmz udp

ip inspect name Cbac_Dmz ntp

ip inspect name Cbac_Dmz http

ip inspect name Cbac_Dmz ftp

ip inspect name Cbac_Dmz esmtp

ip inspect name Cbac_Dmz dns

I suppressed the last statement (no ip inspect name Cbac_Dmz dns) as you say.

show ip inspect stat:

Packet inspection statistics [process switch:fast switch]

tcp packets: [6343723:115444867]

udp packets: [1877994:7441757]

smtp packets: [2039:110573]

http packets: [15447:22172926]

ftp packets: [366119:0]

realaudio packets: [655:0]

dns packets: [31376:165452]

pop3 packets: [341743:0]

Interfaces configured for inspection 11

Session creations since subsystem startup or last reset 3366206

Current session counts (estab/half-open/terminating) [270:29:9]

Maxever session counts (estab/half-open/terminating) [604:139:396]

Last session created 00:00:00

Last statistic reset never

Last session creation rate 665

Last half-open session total 29

May be perf problems are due to CBAC process switching but how to switch to CEF switching ?

Is 12.4(6)T preferable to 12.4(7) for this ?

Thank for help

Alain Fremont

Hi,

Can you answer few of the below questions:

a) How much the CPU utilization ?

b) How much traffic you're running ?

c) Can you get me the exact difference of downloading from a particular website with or without IOS Firewall (CBAC) ?

d) I believe the platform is 2821 ? what other services you using like NAT or PAT or if there is other stuff on the interface

e) I believe you're firewalling the internet facing connection

Will really help me to understand more.

Thanks and Regards

Arshad Saeed

Hi Arshad,

pls. I dont understand what you mentioned.

If I want to exclude java inspection I need

to configure ACL access-list 102 deny ip any any

and so apply it to inspection. M I right?

What IOS version you recommend for CBAC?

BR

jl

Nope, this is a reverse way that "permit" will bypass you from inspecting the java content. It should be "permit". Read the configuration guide you'll understand in detail there is an example given.

I suggest use 12.4(6)T but every new release is better (must have few bug fixes). Recommendation is to use "advance security" bundle.

Thanks and Regards

Arshad

hi,

CPU utilization for five seconds: 12%/8%; one minute: 13%; five minutes: 14%

int vlan1

5 minute input rate 704000 bits/sec, 180 packets/sec

5 minute output rate 590000 bits/sec, 164 packets/sec

> 1000 www users

I PBR outbound www/ftp trafic to a linux proxy server for policy and url filtering.

Proxy is PBRed to old pix FW because it is too slow with 2821.

Other trafic goes directly to outside 2821 intf with NAT.

Platform is 2821 12.4(7) adv security.

I will move soon to 12.4(6)T which introduces firewall policy based on host groups. Hope this will improve perfs.

C2821 intfs :

- G0/0 : trunk inside

G0/0.1 : inside sub intf

- G0/1 : Trunked dmzs connected to a C2950 lev2 sw

G0/1.1 to G0/1.9 : DMZs vlans 1 - 9

- Vlan1 : 4 FE ports HWic outside intf

Our policy is to maximize security:

All intfs are Acl-ed in and participate to CBAC (ip inspect out), to simplify ACLs for return trafic:

vlan1, g0/0, DMZs

sh ip insp stat

Packet inspection statistics [process switch:fast switch]

tcp packets: [615800:19395355]

udp packets: [449413:1321183]

smtp packets: [1770:43379]

http packets: [2759:3811366]

ftp packets: [54920:0]

dns packets: [0:141]

pop3 packets: [26845:0]

Interfaces configured for inspection 11

Session creations since subsystem startup or last reset 575092

Current session counts (estab/half-open/terminating) [136:11:2]

Maxever session counts (estab/half-open/terminating) [444:76:72]

Last session created 00:00:00

Last statistic reset 2d18h

Last session creation rate 229

Last half-open session total 11

sh ip insp interfaces:

Interface Vlan1

Inbound inspection rule is not set

Outgoing inspection rule is Cbac_Sortant

udp alert is on audit-trail is off timeout 15

tcp alert is on audit-trail is off timeout 3600

sqlnet alert is on audit-trail is off timeout 900

sqlsrv alert is on audit-trail is off timeout 900

sqlserv alert is on audit-trail is off timeout 30

https alert is on audit-trail is off timeout 900

esmtp max-data 20000000 alert is on audit-trail is off timeout 900

realaudio alert is on audit-trail is off timeout 900

ftp alert is on audit-trail is off timeout 900

pptp alert is on audit-trail is off timeout 900

pop3 alert is on audit-trail is off timeout 900

http java-list 10 url-filter is on alert is on audit-trail is off timeout 900

Inbound access list is Acl_Outside

Interface GigabitEthernet0/1.1 to 0/1.8

Inbound inspection rule is not set

Outgoing inspection rule is Cbac_Dmz

tcp alert is on audit-trail is off timeout 900

udp alert is on audit-trail is off timeout 30

ntp alert is on audit-trail is off timeout 30

http alert is on audit-trail is off timeout 900

ftp alert is on audit-trail is off timeout 900

esmtp max-data 20000000 alert is on audit-trail is off timeout 900

Inbound access list is Acl_DmzOut

Interface GigabitEthernet0/1.1

Inbound access list is Acl_DmzIn1

Interface GigabitEthernet0/1.2

Inbound access list is Acl_DmzIn2

Interface GigabitEthernet0/1.3

Inbound access list is Acl_DmzIn3

Interface GigabitEthernet0/1.4

Inbound access list is Acl_DmzIn4

Interface GigabitEthernet0/1.5

Inbound access list is Acl_DmzIn5

Interface GigabitEthernet0/1.6

Inbound access list is Acl_DmzSmtp

Interface GigabitEthernet0/1.7

Inbound access list is Acl_DmzTse

Interface GigabitEthernet0/1.9

Inbound access list is Acl_DmzWeb

Interface GigabitEthernet0/0.19

Outgoing inspection rule is Cbac_Dmz

Inbound access list is Acl_Inside

- frequently seeing log msgs like %FW-6-DROP_PKT: Dropping tcp pkt : ==> :

when activity increases, resp times degradation occurs.

Thanks for help

Alain