01-15-2013 01:41 PM - edited 02-21-2020 06:37 PM
Evening Everyone!
i hope someone could help i have a strange problem
i have a cisco 2811 which i recently configed to use the zone based firewall but now have a strange problem
when logging on to a windows PC which uses a domain controller accessed via the tunnel to our main office it hangs at login and takes about 10min
also when trying to browse to a server share there can be a big delay once the share has opened file open at the normal speed
i ran the set up on anther office which had a leased line connect to our office and not a gre tunnel
the problem seems a bit random
any ideas?
many thanks
Ben
01-15-2013 01:58 PM
First guess when there are time-based problems like delays: Ist name-resolution (DNS) really working?
And also control if there is excessive fragmentation/reassembly on the router.
--  
Don't stop after you've improved your network! Improve the world by lending money to the working poor: 
http://www.kiva.org/invitedby/karsteni
01-15-2013 02:07 PM
thanks for the reply
i am new to the zone based firewall as far as i know DNS is fine if i take the config of and reset back to CBAC it is fine
i cant see excessive fragmentation on the router nothing look to be getting punted to the CPU
01-15-2013 02:18 PM
and like now for example i can copy a 3gb file fine there is no slowness but logging on for example takes much longer then expected
it seems a bit hit and miss some times the logging in is fine also
01-15-2013 04:10 PM
Hi there,
Which specific protocol does the application use to open up a connection to the server?
IOS version?
Has this ever worked?
Have you had any chance to collect WireShark captures and analyze them?
Thanks.
Portu.
Please rate any helpful posts
01-16-2013 12:30 AM
And please share your config that is causing the problems. Which IOS-version are you running?
--  
Don't stop after you've improved your network! Improve the world by lending money to the working poor: 
http://www.kiva.org/invitedby/karsteni
01-16-2013 01:39 AM
the IOS is
2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(11)XW3
Since the zone based firewall has gone on it has had this problem
am going do some wireshark overthe weekend as have had to turn the firewall of now
It is using cifs to connect to the server
the config is
class-map type inspect match-any 2000
match protocol http
match protocol https
match protocol snmp
match protocol snmptrap
match protocol telnet
match protocol ssh
match protocol ntp
class-map type inspect match-all FIREWALL_TANBERG_TRAFFIC
match access-group 2020
class-map type inspect match-all FIREWALL_IPSEC_TRAFFIC
match access-group name IPSEC_TRAFFIC
class-map type inspect match-all FIREWALL_TANDBERG_MANGMENT
match class-map 2000
match access-group 2000
class-map type inspect match-any FIREWALL_INSIDE_OUTSIDE
match protocol https
match protocol http
match protocol ftp
match protocol dns
match protocol ntp
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any FIREWALL_ROUTER_MANAGMENT
match protocol telnet
match protocol tacacs
match protocol ssh
!
!
policy-map type inspect FIREWALL_ROUTER_SERVICES
class type inspect FIREWALL_ROUTER_MANAGMENT
pass
class type inspect FIREWALL_IPSEC_TRAFFIC
pass
class class-default
policy-map type inspect FIREWALL_INBOUND_TRAFFIC
class type inspect FIREWALL_TANDBERG_MANGMENT
inspect
class type inspect FIREWALL_TANBERG_TRAFFIC
inspect
class class-default
policy-map type inspect FIREWALL_OUTBOUND_TRAFFIC
class type inspect FIREWALL_INSIDE_OUTSIDE
inspect
class class-default
!
zone security FIREWALL_INSIDE
description FIREWALL INSIDE INTERFACES FASTETHERNET0/1 AND TUNNELS
zone security FIREWALL_OUTSIDE
description FIREWALL OUTSIDE INTERFACE FASTETHERNET0/0
zone-pair security FIREWALL_OUTSIDE_TO_INSIDE source FIREWALL_OUTSIDE destination FIREWALL_INSIDE
service-policy type inspect FIREWALL_INBOUND_TRAFFIC
zone-pair security FIREWALL_OUTSIDE_TO_SELF source FIREWALL_OUTSIDE destination self
description ALLOWS ROUTER MANAGMENT AND IPSEC TRAFFIC
service-policy type inspect FIREWALL_ROUTER_SERVICES
zone-pair security FIREWALL_INSIDE_TO_OUTSIDE source FIREWALL_INSIDE destination FIREWALL_OUTSIDE
description ALLOWS OUTBOUND TRAFFIC
service-policy type inspect FIREWALL_OUTBOUND_TRAFFIC
the inside f0/1 and tunnel interface are in the FIREWALL_INSIDE
many thanks guys!
01-16-2013 01:50 AM
the inside f0/1 and tunnel interface are in the FIREWALL_INSIDE
then, the traffic is not part of the firewall as with that release, all interfaces of the same zone can freely communicate.
2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(11)XW3
That's really ancient. Please upgrade to a more recent version before doing any more troubleshooting. 12.4.(24)T8 is an actual release if you wan't to stay on the 12.4-train.
--  
Don't stop after you've improved your network! Improve the world by lending money to the working poor: 
http://www.kiva.org/invitedby/karsteni
01-16-2013 01:56 AM
Aye did that to see if it was part of the problem but once i take the zone based firewall of it all works fine
ah cool will give that ago !
thanks !
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide