cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2515
Views
5
Helpful
9
Replies

3825 Zone Based Firewall / HTTP Problems

Techi3Rebel
Level 1
Level 1

After weeks of research, I give in and need help. My setup consists of a Charter Cable 30MB link on a Cisco 3008 modem --> Cisco 3825 (c3825-adventerprisek9-mz.151-4.M5.bin) --> Cisco 3550 (c3550-ipservicesk9-mz.122-44.SE6.bin) and I use CCP 2.6 to configure the ZBF on the router. The problem is that 99% of all website timeout about 80% of the time, they load almost immediately once I hit the reload button and some eventually load after several attempts. The Netflix on the TV’s is also impacted but nothing else is affected. Downloads are fast, VPN to office works great, Skype works, and torrent downloads and FTP are flawless.  This affects multiple computers, phones and tablets and is not specific to any browser. I know there were out-of-order packets, which I resolved with the “ip inspect tcp reassembly queue length 128” and “ip inspect tcp reassembly timeout 10”, but unfortunately this did not fix the website issue. Please let me know what else I can provide and thank you for looking at this for me.

Building configuration...

Current configuration : 10556 bytes

!

! Last configuration change at 21:38:47 CST Wed Feb 13 2013

version 15.1

no service pad

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname RR

!

boot-start-marker

boot-end-marker

!

!

security authentication failure rate 3 log

no logging buffered

no logging console

enable secret 4 1hdlgvffdrnFnEIcCj2Iz7JBCJX01rwUvTaQTL7k

enable password 7 1043590D550514114785110A0801

!

no aaa new-model

!

clock timezone CST -6 0

clock summer-time CDT recurring

!

dot11 syslog

no ip source-route

!

ip cef

!

!

ip dhcp excluded-address 192.168.1.1 192.168.1.4

ip dhcp excluded-address 192.168.1.51 192.168.1.62

!

ip dhcp pool DHCP_192.168.1.0/26

network 192.168.1.0 255.255.255.192

dns-server 192.168.1.1

default-router 192.168.1.1

domain-name ciscolab.local

!

!

no ip bootp server

ip domain name ciscolab.local

ip name-server 198.153.192.40

ip name-server 198.153.194.40

ip inspect tcp reassembly queue length 128

ip inspect tcp reassembly timeout 10

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

parameter-map type protocol-info yahoo-servers

server name scs.msg.yahoo.com

server name scsa.msg.yahoo.com

server name scsb.msg.yahoo.com

server name scsc.msg.yahoo.com

server name scsd.msg.yahoo.com

server name cs16.msg.dcn.yahoo.com

server name cs19.msg.dcn.yahoo.com

server name cs42.msg.dcn.yahoo.com

server name cs53.msg.dcn.yahoo.com

server name cs54.msg.dcn.yahoo.com

server name ads1.vip.scd.yahoo.com

server name radio1.launch.vip.dal.yahoo.com

server name in1.msg.vip.re2.yahoo.com

server name data1.my.vip.sc5.yahoo.com

server name address1.pim.vip.mud.yahoo.com

server name edit.messenger.yahoo.com

server name messenger.yahoo.com

server name http.pager.yahoo.com

server name privacy.yahoo.com

server name csa.yahoo.com

server name csb.yahoo.com

server name csc.yahoo.com

parameter-map type protocol-info msn-servers

server name messenger.hotmail.com

server name gateway.messenger.hotmail.com

server name webmessenger.msn.com

parameter-map type protocol-info aol-servers

server name login.oscar.aol.com

server name toc.oscar.aol.com

server name oam-d09a.blue.aol.com

!

voice-card 0

!

!

!

!

!

!

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-2469970023

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2469970023

revocation-check none

rsakeypair TP-self-signed-2469970023

!

!

crypto pki certificate chain TP-self-signed-2469970023

certificate self-signed 01

!

!

license udi pid CISCO3825 sn XXXXXXXXX

archive

log config

hidekeys

object-group network Unrestricted

description Unrestricted Used for TVs

range 192.168.1.51 192.168.1.57

!

username cisco privilege 15 password 7 070156284F1E1D4180B12

username lab privilege 15 password 7 0700271581E31B1A04121317

!

redundancy

!

!

ip tcp synwait-time 10

!

class-map type inspect match-any SDM_BOOTPC

match access-group name SDM_BOOTPC

class-map type inspect match-any ccp-cls-protocol-p2p

match protocol edonkey signature

match protocol gnutella signature

match protocol kazaa2 signature

match protocol fasttrack signature

match protocol bittorrent signature

class-map type inspect match-any SDM_DHCP_CLIENT_PT

match class-map SDM_BOOTPC

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any CCP_PPTP

match class-map SDM_GRE

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any sdm-cls-bootps

match protocol bootps

class-map type inspect match-any ccp-cls-insp-traffic

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-cls-protocol-im

match protocol ymsgr yahoo-servers

match protocol msnmsgr msn-servers

match protocol aol aol-servers

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect sdm-cls-bootps

pass

class type inspect ccp-sip-inspect

inspect

class type inspect ccp-h323-inspect

inspect

class type inspect ccp-h323annexe-inspect

inspect

class type inspect ccp-h225ras-inspect

inspect

class type inspect ccp-h323nxg-inspect

inspect

class type inspect ccp-skinny-inspect

inspect

class type inspect ccp-icmp-access

inspect

class class-default

pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

drop log

class type inspect ccp-protocol-http

inspect

class type inspect ccp-insp-traffic

inspect

class type inspect ccp-sip-inspect

inspect

class type inspect ccp-h323-inspect

inspect

class type inspect ccp-h323annexe-inspect

inspect

class type inspect ccp-h225ras-inspect

inspect

class type inspect ccp-h323nxg-inspect

inspect

class type inspect ccp-skinny-inspect

inspect

class class-default

drop

policy-map type inspect ccp-permit

class type inspect SDM_DHCP_CLIENT_PT

pass

class type inspect ccp-sip-inspect

inspect

class type inspect ccp-h323-inspect

inspect

class type inspect ccp-h323annexe-inspect

inspect

class type inspect ccp-h225ras-inspect

inspect

class type inspect ccp-h323nxg-inspect

inspect

class type inspect ccp-skinny-inspect

inspect

class class-default

drop

policy-map type inspect ccp-pol-outToIn

class type inspect CCP_PPTP

pass

class class-default

drop log

!

zone security in-zone

zone security out-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone

service-policy type inspect ccp-pol-outToIn

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

!

!

!

!

interface Loopback0

description $FW_INSIDE$

ip address 99.99.99.99 255.255.255.255

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

zone-member security in-zone

!

interface Null0

no ip unreachables

!

interface GigabitEthernet0/0

description $ETH-WAN$$FW_OUTSIDE$

ip address dhcp client-id GigabitEthernet0/0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

zone-member security out-zone

duplex auto

speed auto

media-type rj45

no mop enabled

!

interface GigabitEthernet0/1

description $ETH-LAN$$FW_INSIDE$

ip address 192.168.1.1 255.255.255.192

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

duplex auto

speed auto

media-type rj45

no mop enabled

!

ip forward-protocol nd

ip http server

ip http access-class 2

ip http authentication local

ip http secure-server

!

!

ip dns server

ip nat pool DHCP_192.168.1.0/26 192.168.1.1 192.168.1.62 netmask 255.255.255.192

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 permanent

ip route 192.168.1.0 255.255.255.192 GigabitEthernet0/1 permanent

!

ip access-list extended NAT_LOCAL_192.168.1.0/26

remark CCP_ACL Category=2

permit ip any any log

ip access-list extended SDM_BOOTPC

remark CCP_ACL Category=0

permit udp any any eq bootpc

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

!

logging trap debugging

logging 192.168.1.60

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.63

access-list 2 remark Auto generated by SDM Management Access feature

access-list 2 remark CCP_ACL Category=1

access-list 2 permit 192.168.1.0 0.0.0.63

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark Auto generated by SDM Management Access feature

access-list 101 remark CCP_ACL Category=1

access-list 101 permit tcp 192.168.1.0 0.0.0.63 host 192.168.1.1 eq telnet

access-list 101 permit tcp 192.168.1.0 0.0.0.63 host 192.168.1.1 eq 22

access-list 101 permit tcp 192.168.1.0 0.0.0.63 host 192.168.1.1 eq www

access-list 101 permit tcp 192.168.1.0 0.0.0.63 host 192.168.1.1 eq 443

access-list 101 permit tcp 192.168.1.0 0.0.0.63 host 192.168.1.1 eq cmd

access-list 101 permit udp 192.168.1.0 0.0.0.63 host 192.168.1.1 eq snmp

access-list 101 deny   tcp any host 192.168.1.1 eq telnet

access-list 101 deny   tcp any host 192.168.1.1 eq 22

access-list 101 deny   tcp any host 192.168.1.1 eq www

access-list 101 deny   tcp any host 192.168.1.1 eq 443

access-list 101 deny   tcp any host 192.168.1.1 eq cmd

access-list 101 deny   udp any host 192.168.1.1 eq snmp

access-list 101 permit ip any any

access-list 102 remark Auto generated by SDM Management Access feature

access-list 102 remark CCP_ACL Category=1

access-list 102 permit ip 192.168.1.0 0.0.0.63 any

!

!

!

!

control-plane

!

!

!

mgcp fax t38 ecm

!

mgcp profile default

!

!

!

!

banner login ^CPrivate Network - STAY OUT!!!^C

!

line con 0

exec-timeout 0 0

password 7 06080621C5A518117000

logging synchronous

line aux 0

line vty 0 4

access-class 102 in

exec-timeout 0 0

password 7 10400001A5403410509

login

transport input telnet ssh

transport output telnet ssh

!

scheduler allocate 20000 1000

ntp server 128.138.141.172 prefer

end

9 Replies 9

paolo bevilacqua
Hall of Fame
Hall of Fame

Remove ZBFW, it does'tt work good, it impacts performances, and does not really add any security.

Thanks for responding Paolo but I am a bit concerned with security. I was previously using an off-the-shelf router but really wanted to jump into my CCNP study so I removed that box and started using my Cisco gear for my network. I do have several computers used for work and finances so I don't want to leave them open and exposed. Can you suggest some basic things I should configure for security if I do have to remove the firewall configuration?

eagle_283
Level 1
Level 1

One of your class maps have been configured with a default action.

class type inspect ccp-protocol-http

inspect

Maybe try to change the action to pass.

Zone-Based Policy Firewall Actions

ZFW provides three actions for traffic that traverses from one zone to another:

  • Drop—This is the default action for all traffic, as applied by the "class class-default" that terminates every inspect-type policy-map. Other class-maps within a policy-map can also be configured to drop unwanted traffic. Traffic that is handled by the drop action is "silently" dropped (i.e., no notification of the drop is sent to the relevant end-host) by the ZFW, as opposed to an ACL's behavior of sending an ICMP “host unreachable” message to the host that sent the denied traffic. Currently, there is not an option to change the "silent drop" behavior. The log option can be added with drop for syslog notification that traffic was dropped by the firewall.
  • Pass—This action allows the router to forward traffic from one zone to another. The pass action does not track the state of connections or sessions within the traffic. Pass only allows the traffic in one direction. A corresponding policy must be applied to allow return traffic to pass in the opposite direction. The pass action is useful for protocols such as IPSec ESP, IPSec AH, ISAKMP, and other inherently secure protocols with predictable behavior. However, most application traffic is better handled in the ZFW with the inspect action.
  • Inspect—The inspect action offers state-based traffic control. For example, if traffic from the private zone to the Internet zone in the earlier example network is inspected, the router maintains connection or session information for TCP and User Datagram Protocol (UDP) traffic. Therefore, the router permits return traffic sent from Internet-zone hosts in reply to private zone connection requests. Also, inspect can provide application inspection and control for certain service protocols that might carry vulnerable or sensitive application traffic. Audit-trail can be applied with a parameter-map to record connection/session start, stop, duration, the data volume transferred, and source and destination addresses.

Thanks for looking into this, unfortunately that did not make a difference.

Andras Dosztal
Level 3
Level 3

You should check the logs if the VFR (not VRF!) table is full. It it is, the router can't reassemble all fragmented packets; resulting strange things like parts of a web page does not load.


Sent from Cisco Technical Support Android App

Not very familiar with this but I looked it up and posted the result. Gi0/0 is my WAN interface. Thank you...

RR#sho ip virtual-reassembly gi0/0

GigabitEthernet0/0:

   Virtual Fragment Reassembly (VFR) is ENABLED [in]

   Concurrent reassemblies (max-reassemblies): 16

   Fragments per reassembly (max-fragments): 32

   Reassembly timeout (timeout): 3 seconds

   Drop fragments: OFF

   Current reassembly count:0

   Current fragment count:0

   Total reassembly count:0

   Total reassembly timeout count:0

If the VFR table is full, you get an error message similar to this:

Router# sh logg
%IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/0: the fragment table has reached its maximum threshold 16

Unfortunately that line is not in the output, anything else I can look for..?

I do have several of the following;

000948: .Feb 18 08:00:14.002 CST: %FW-6-DROP_PKT: Dropping tcp session xx.xx.xx.xx:443 xx.xx.xx.xx:47801 on zone-pair ccp-zp-out-self class class-default due to  DROP action found in policy-map with ip ident 0

Although there is still a lot of delay and timeouted websites, I did notice at times the websites practically stop loading. That's when I checked the log and did see the 'overflow' message that you mentioned Andras. I raised the limit to 64 from the default 16 and it did help slightly.

I did a lot of research on this and there does not appear to be a solution, not one I could find. It does seem that the 15.x IOS is very buggy and this bug is reported by several users. Hope Cisco is working on a fix in the next release.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: