10-25-2010 09:17 AM - edited 03-04-2019 10:15 AM
Hi All,
I have several 871 routers running IOS version c870-advipservicesk9-mz.124-9.T1.bin
They have been running great for a long time but recently they all started dropping packets while downloading items from any website. For example Symantec Liveupdate will start but stop after few hundred kb is downloaded, same is true for downloads from CNET, microsoft, etc.
While trying to figure out what was the cause we narrowed it down to this command:
ip inspect name SDM_HIGH appfw SDM_HIGH
And here are the details for this inspect rule:
appfw policy-name SDM_HIGH
application im aol
service default action reset alarm
service text-chat action reset alarm
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action reset alarm
service text-chat action reset alarm
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.com
server deny name webmessenger.msn.com
audit-trail on
application http
strict-http action allow alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action reset alarm
application im yahoo
service default action reset alarm
service text-chat action reset alarm
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yahoo.com
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo.com
server deny name edit.messenger.yahoo.com
server deny name messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail on
Now the only thing that I see that can cause the issue is the inspection of HTTP traffic, however nothing on the routers has changed so I am not sure why the packets are dropping.
Any help with this would be much appreciated.
Thanks,
Mandeep
11-05-2010 09:25 AM
You mention narrowing it down to a specific command. When the command is enabled do you see interface drops or high cpu while the downloads are in progress?
How are you determining packet loss? When a download stops, is it only the single session which is affected or all user traffic?
If these routers have bene in service with no config changes, then what has changed? Are you pushing more traffic through the routers than you used to?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide