Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1437
Views
0
Helpful
6
Replies

CBAC filter issue

thiru.vel10
Level 1
Level 1

‎07-21-2011 08:39 AM - edited ‎03-04-2019 01:03 PM

Hi All,

I am Thiru, I am observing internet disconnection issue while using the CBAC filter. Without CBAC filter internet is working fine without issue, When i am configuring the CBAC filter i am getting disconnection from the internet web server. Issue in on and off. and also i am getting some erro.

ip inspect name myfw tcp

ip inspect name myfw udp

ip inspect name myfw realaudio

ip inspect name myfw smtp

ip inspect name myfw streamworks

ip inspect name myfw vdolive

ip inspect name myfw tftp

ip inspect name myfw rcmd

ip inspect name myfw ftp

ip inspect name myfw http

ACL

access-list 100 remark --> CBAC security

access-list 100 permit gre any any

access-list 100 permit esp any any

access-list 100 permit udp any any eq isakmp

access-list 100 permit udp any eq isakmp any

access-list 100 permit udp any eq ntp any eq ntp

access-list 100 permit udp any host    (wanip)  eq 10000

access-list 100 permit icmp any any echo-reply

access-list 100 permit udp any eq ntp any eq ntp

WAN INterface ,

IP inspect myfw out

ip access-group 100 in

Dropping TCP Segment: seq:1439898881 1476 bytes is out-of-order; expected seq:1439883073. Reason: TCP reassembly queue overflow - sessio

Can someone can hellp me out this issue

I am using cisco 1841 and IOS :   AdvanceIPservice 12.4 T9

Labels:
0 Helpful
6 Replies 6

thiru.vel10
Level 1
Level 1

‎07-22-2011 01:34 PM

Hi All,

Anyone can help me out here ??

0 Helpful

paul driver
VIP
VIP
In response to thiru.vel10

‎07-22-2011 02:23 PM

Hi thru,

can you this.

access-list 100 permit tcp any any eq www

access-list 100 permit udp any any eq domain

ip inspect name myfw http alert on audit-trail on

res

paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

thiru.vel10
Level 1
Level 1
In response to paul driver

‎07-23-2011 09:55 AM

Hi Paul ,

Thanks for your prompt response.

I am managing more than 50 Internet routers and I have configured the CBAC filter with Websense in cisco 1721, 1841 , 1941 & 2811. I am keeping same configuration in the all device for standard.

I will add this two line in Inbond ACL and update you the status.

Regards

  Thiru

0 Helpful

thiru.vel10
Level 1
Level 1
In response to thiru.vel10

‎07-25-2011 06:04 AM

Hi Paul ,

I have configured the request rule in the my outbond ACL. However still i am observing the log message.

ue overflow - session *.*.*.*.164:3236 to 152.111.191.11:80

Jul 25 14:50:12.890 GMT: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:3349648696

540 bytes is out-of-order; expected seq:3349634852. Reason: TCP reassembly queu

e overflow - session *.*.*.*.164:3236 to 152.111.191.11:80

Jul 25 14:50:14.382 GMT: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:3349645812

1476 bytes is out-of-order; expected seq:3349634852. Reason: TCP reassembly que

ue overflow - session *.*.*.*.164:3236 to 152.111.191.11:80

Jul 25 14:50:20.909 GMT: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:29819585 1

476 bytes is out-of-order; expected seq:29808852. Reason: TCP reassembly queue o

verflow - session *.*.*.*.164:3240 to 152.111.191.11:80

Jul 25 14:50:22.637 GMT: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:29819585 1

476 bytes is out-of-order; expected seq:29808852. Reason: TCP reassembly queue o

verflow - session *.*.*.*.164:3240 to 152.111.191.11:80

Jul 25 14:50:24.933 GMT: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:29822469 3

73 bytes is out-of-order; expected seq:29808852. Reason: TCP reassembly queue ov

erflow - session *.*.*.*.164:3240 to 152.111.191.11:80

Jul 25 14:50:26.352 GMT: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:29819585 1

476 bytes is out-of-order; expected seq:29808852. Reason: TCP reassembly queue o


Thanks

Thiru

0 Helpful

Latchum Naidu
VIP Alumni
VIP Alumni
In response to thiru.vel10

‎07-25-2011 06:25 AM

Hi Thiru,

See the below sample config may help you....

aaa new-model

aaa authentication login default local

ip inspect name my_firewall ftp timeout 3600

ip inspect name my_firewall smtp timeout 3600

ip inspect name my_firewall udp timeout 15

ip inspect name my_firewall tcp timeout 3600

!

interface FastEthernet0/0

description Inside of Network

ip address 192.168.150.1 255.255.255.0

!

interface FastEthernet0/1

description Outside of network

ip address

ip access-group OUTSIDE_IN in

ip inspect name my_firewall out

!

ip nat inside source list NAT interface FastEthernet0/1 overload

!

ip classless

!

ip route 0.0.0.0 0.0.0.0

!

no ip http server

no ip http secure-server

!

line con 0

logging sync

line vty 0 15

trans input ssh

logging sync

!

ip access-list extended NAT

permit ip 192.168.150.0 0.0.0.255 any

!

ip access-list extended OUTSIDE_IN

deny   ip host 0.0.0.0 any

deny   ip 127.0.0.0 0.255.255.255 any

deny   ip 192.0.2.0 0.0.0.255 any

deny   ip 224.0.0.0 31.255.255.255 any

deny   ip 10.0.0.0 0.255.255.255 any

deny   ip 172.16.0.0 0.15.255.255 any

deny   ip 192.168.0.0 0.0.255.255 any

permit icmp any any echo-reply

permit icmp any any time-exceeded

deny   ip any any

!

crypto key gen rsa general-keys mod 1024

Please rate the helpfull posts.

Regards,

Naidu.

aaa new-model
aaa authentication login default local
ip inspect name my_firewall ftp timeout 3600
ip inspect name my_firewall smtp timeout 3600
ip inspect name my_firewall udp timeout 15
ip inspect name my_firewall tcp timeout 3600
!
interface FastEthernet0/0
description Inside of Network
ip address 192.168.150.1 255.255.255.0
!
interface FastEthernet0/1
description Outside of network
ip address
ip access-group OUTSIDE_IN in
ip inspect name my_firewall out
!
ip nat inside source list NAT interface FastEthernet0/1 overload
!
ip classless
!
ip route 0.0.0.0 0.0.0.0
!
no ip http server
no ip http secure-server
!
line con 0
logging sync
line vty 0 15
trans input ssh
logging sync
!
ip access-list extended NAT
permit ip 192.168.150.0 0.0.0.255 any
!
ip access-list extended OUTSIDE_IN
deny   ip host 0.0.0.0 any
deny   ip 127.0.0.0 0.255.255.255 any
deny   ip 192.0.2.0 0.0.0.255 any
deny   ip 224.0.0.0 31.255.255.255 any
deny   ip 10.0.0.0 0.255.255.255 any
deny   ip 172.16.0.0 0.15.255.255 any
deny   ip 192.168.0.0 0.0.255.255 any
permit icmp any any echo-reply
permit icmp any any time-exceeded
deny   ip any any
!
crypto key gen rsa general-keys mod 1024

Please rate the helpfull posts.
Regards,
Naidu.

0 Helpful

paul driver
VIP
VIP

‎07-25-2011 06:47 AM

Hi thiru,

 

access-list 100 permit gre any any

access-list 100 permit esp any any

access-list 100 permit udp any any eq isakmp

access-list 100 permit udp any eq isakmp any

access-list 100 permit udp any eq ntp any eq ntp

access-list 100 permit udp any host    (wanip)  eq 10000

access-list 100 permit udp any eq ntp any eq ntp

access-list 100 permit udp any any eq domain

access-list 100 permit tcp any any eq www

access-list 100 deny tcp any any

access-list 100 deny udp any any

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any packet-too-big

access-list 100 permit icmp any any traceroute

access-list 100 permit icmp any any unreachable

access-list 100 permit icmp any any reassembly-timeout

access-list 100 deny ip any any

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Top