02-15-2013 09:15 PM - edited 03-07-2019 11:44 AM
After weeks of research, I give in and need help. My setup consists of a Charter Cable 30MB link on a Cisco 3008 modem --> Cisco 3825 (c3825-adventerprisek9-mz.151-4.M5.bin) --> Cisco 3550 (c3550-ipservicesk9-mz.122-44.SE6.bin) and I use CCP 2.6 to configure the ZBF on the router. The problem is that 99% of all website timeout about 80% of the time, they load almost immediately once I hit the reload button and some eventually load after several attempts. The Netflix on the TV’s is also impacted but nothing else is affected. Downloads are fast, VPN to office works great, Skype works, and torrent downloads and FTP are flawless. This affects multiple computers, phones and tablets and is not specific to any browser. I know there were out-of-order packets, which I resolved with the “ip inspect tcp reassembly queue length 128” and “ip inspect tcp reassembly timeout 10”, but unfortunately this did not fix the website issue. Please let me know what else I can provide and thank you for looking at this for me.
Building configuration...
Current configuration : 10556 bytes
!
! Last configuration change at 21:38:47 CST Wed Feb 13 2013
version 15.1
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname RR
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
no logging buffered
no logging console
enable secret 4 1hdlgvffdrnFnEIcCj2Iz7JBCJX01rwUvTaQTL7k
enable password 7 1043590D550514114785110A0801
!
no aaa new-model
!
clock timezone CST -6 0
clock summer-time CDT recurring
!
dot11 syslog
no ip source-route
!
ip cef
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.4
ip dhcp excluded-address 192.168.1.51 192.168.1.62
!
ip dhcp pool DHCP_192.168.1.0/26
network 192.168.1.0 255.255.255.192
dns-server 192.168.1.1
default-router 192.168.1.1
domain-name ciscolab.local
!
!
no ip bootp server
ip domain name ciscolab.local
ip name-server 198.153.192.40
ip name-server 198.153.194.40
ip inspect tcp reassembly queue length 128
ip inspect tcp reassembly timeout 10
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
!
voice-card 0
!
!
!
!
!
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2469970023
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2469970023
revocation-check none
rsakeypair TP-self-signed-2469970023
!
!
crypto pki certificate chain TP-self-signed-2469970023
certificate self-signed 01
!
!
license udi pid CISCO3825 sn XXXXXXXXX
archive
log config
hidekeys
object-group network Unrestricted
description Unrestricted Used for TVs
range 192.168.1.51 192.168.1.57
!
username cisco privilege 15 password 7 070156284F1E1D4180B12
username lab privilege 15 password 7 0700271581E31B1A04121317
!
redundancy
!
!
ip tcp synwait-time 10
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_DHCP_CLIENT_PT
pass
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-pol-outToIn
class type inspect CCP_PPTP
pass
class class-default
drop log
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
!
interface Loopback0
description $FW_INSIDE$
ip address 99.99.99.99 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
zone-member security in-zone
!
interface Null0
no ip unreachables
!
interface GigabitEthernet0/0
description $ETH-WAN$$FW_OUTSIDE$
ip address dhcp client-id GigabitEthernet0/0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
media-type rj45
no mop enabled
!
interface GigabitEthernet0/1
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.192
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
duplex auto
speed auto
media-type rj45
no mop enabled
!
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
!
!
ip dns server
ip nat pool DHCP_192.168.1.0/26 192.168.1.1 192.168.1.62 netmask 255.255.255.192
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 permanent
ip route 192.168.1.0 255.255.255.192 GigabitEthernet0/1 permanent
!
ip access-list extended NAT_LOCAL_192.168.1.0/26
remark CCP_ACL Category=2
permit ip any any log
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
!
logging trap debugging
logging 192.168.1.60
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.63
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.63
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit tcp 192.168.1.0 0.0.0.63 host 192.168.1.1 eq telnet
access-list 101 permit tcp 192.168.1.0 0.0.0.63 host 192.168.1.1 eq 22
access-list 101 permit tcp 192.168.1.0 0.0.0.63 host 192.168.1.1 eq www
access-list 101 permit tcp 192.168.1.0 0.0.0.63 host 192.168.1.1 eq 443
access-list 101 permit tcp 192.168.1.0 0.0.0.63 host 192.168.1.1 eq cmd
access-list 101 permit udp 192.168.1.0 0.0.0.63 host 192.168.1.1 eq snmp
access-list 101 deny tcp any host 192.168.1.1 eq telnet
access-list 101 deny tcp any host 192.168.1.1 eq 22
access-list 101 deny tcp any host 192.168.1.1 eq www
access-list 101 deny tcp any host 192.168.1.1 eq 443
access-list 101 deny tcp any host 192.168.1.1 eq cmd
access-list 101 deny udp any host 192.168.1.1 eq snmp
access-list 101 permit ip any any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip 192.168.1.0 0.0.0.63 any
!
!
!
!
control-plane
!
!
!
mgcp fax t38 ecm
!
mgcp profile default
!
!
!
!
banner login ^CPrivate Network - STAY OUT!!!^C
!
line con 0
exec-timeout 0 0
password 7 06080621C5A518117000
logging synchronous
line aux 0
line vty 0 4
access-class 102 in
exec-timeout 0 0
password 7 10400001A5403410509
login
transport input telnet ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
ntp server 128.138.141.172 prefer
end
02-16-2013 11:59 PM
Remove ZBFW, it does'tt work good, it impacts performances, and does not really add any security.
02-17-2013 05:25 AM
Thanks for responding Paolo but I am a bit concerned with security. I was previously using an off-the-shelf router but really wanted to jump into my CCNP study so I removed that box and started using my Cisco gear for my network. I do have several computers used for work and finances so I don't want to leave them open and exposed. Can you suggest some basic things I should configure for security if I do have to remove the firewall configuration?
02-17-2013 07:20 PM
One of your class maps have been configured with a default action.
class type inspect ccp-protocol-http
inspect
Maybe try to change the action to pass.
ZFW provides three actions for traffic that traverses from one zone to another:
02-17-2013 11:07 PM
Thanks for looking into this, unfortunately that did not make a difference.
02-17-2013 08:39 PM
You should check the logs if the VFR (not VRF!) table is full. It it is, the router can't reassemble all fragmented packets; resulting strange things like parts of a web page does not load.
Sent from Cisco Technical Support Android App
02-17-2013 11:05 PM
Not very familiar with this but I looked it up and posted the result. Gi0/0 is my WAN interface. Thank you...
RR#sho ip virtual-reassembly gi0/0
GigabitEthernet0/0:
Virtual Fragment Reassembly (VFR) is ENABLED [in]
Concurrent reassemblies (max-reassemblies): 16
Fragments per reassembly (max-fragments): 32
Reassembly timeout (timeout): 3 seconds
Drop fragments: OFF
Current reassembly count:0
Current fragment count:0
Total reassembly count:0
Total reassembly timeout count:0
02-17-2013 11:43 PM
If the VFR table is full, you get an error message similar to this:
Router# sh logg %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/0: the fragment table has reached its maximum threshold 16
02-18-2013 06:09 AM
Unfortunately that line is not in the output, anything else I can look for..?
I do have several of the following;
000948: .Feb 18 08:00:14.002 CST: %FW-6-DROP_PKT: Dropping tcp session xx.xx.xx.xx:443 xx.xx.xx.xx:47801 on zone-pair ccp-zp-out-self class class-default due to DROP action found in policy-map with ip ident 0
02-22-2013 04:37 AM
Although there is still a lot of delay and timeouted websites, I did notice at times the websites practically stop loading. That's when I checked the log and did see the 'overflow' message that you mentioned Andras. I raised the limit to 64 from the default 16 and it did help slightly.
I did a lot of research on this and there does not appear to be a solution, not one I could find. It does seem that the 15.x IOS is very buggy and this bug is reported by several users. Hope Cisco is working on a fix in the next release.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide