04-01-2013 09:54 AM - edited 03-04-2019 07:27 PM
We had a very interesting issue with one of our 2811 router. We have Checkpoint firewalls at some of our locations and they all send messages back to the management station using TCP port 257. At our Chinese location at March 10th around 10:30PM, our time, the router stoppend sending traffic on port 257, all other traffic seemed to be normal. We put the same access-list, fuctionality wise, on FA0/0 in and on S0/0/0:1 out. We could see the hits on FA0/0 but not on S0/0/0:1. After rebooting the router the problem went away, for now. I opened a ticket with Cisco, but I did not get too far. Did anyone see anything like this before?
Here are the access-lists:
ip access-list extended Log-Testing
permit tcp host 172.28.228.243 host 161.195.160.147 eq 257 log
permit tcp host 172.28.228.242 host 161.195.160.147 eq 257 log
permit tcp any host 161.195.160.147 eq 257 log
permit tcp any any eq 257 log
permit ip any any
ip access-list extended Log-Testing2
permit tcp host 172.28.228.243 host 161.195.160.147 eq 257 log
permit tcp host 172.28.228.242 host 161.195.160.147 eq 257 log
permit tcp any host 161.195.160.147 eq 257 log
permit tcp any any eq 257 log
permit ip any any
!
And here are the interface configurations:
interface Serial0/0/0:1
description MPLS
bandwidth 2048
ip address XXX.XXX.XXX.XXX 255.255.255.252
ip access-group Log-Testing out
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
service-policy output XXXXXXXX
!
interface FastEthernet0/0
ip address XXX.XXX.XXX.XXX 255.255.255.248
ip access-group Log-Testing2 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
no ip mroute-cache
duplex full
speed 100
no mop enabled
!
Thanks
Solved! Go to Solution.
04-01-2013 12:10 PM
It's very important that you run updated IOS.
Thank you for the nice rating and good luck!
04-01-2013 11:15 AM
Update IOS.
Note, you should be running the default of IP CEF turned on. Alos, nbasr does not do nothing, and you should disable virtrual-reassemly.
04-01-2013 11:44 AM
Thank you for your response. IP CEF is enabled at the global level, as the default. We have an alias that uses nbar, so that is why it is on the interface. I thought that the virtual-assembly was to protect the router from certain attacks where the attacker sedn a large number of fragmented packets.
Thanks
04-01-2013 11:46 AM
Note you have both cef and route-cache disabled on serial 1.
Virtual reassembly will not protect you from anything bust most likely cause unneccessary processing.
04-01-2013 11:56 AM
Thank you, I have to schedule the change, we have a very strict change policy. You mentioned IOS upgrade, do you think it will solve the issue?
Thanks
04-01-2013 12:10 PM
It's very important that you run updated IOS.
Thank you for the nice rating and good luck!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: