pmlco
join:2009-09-04
Palm Coast, FL | [Config] Zone-based firewall and out-or-order dropped packetsHello!
I am using a zone-based firewall on my 877, and normally everything works well. However, sometimes performance slows to down to less than 1/10 of normal. For example, if I try to upgrade a debian system with apt-get dist-upgrade, the downloads start ok, estimated time a few minutes, then grind to a halt with estimated time 2/3 hours. At the same time, I get this in the log:
Jun 3 08:17:34 192.168.71.254 2014: Jun 3 07:17:33: %FW-6-DROP_PKT: Dropping tcp session 128.31.0.36:80 192.168.1.6:52334 due to Out-Of-Order Segment with ip ident 0
It would seem that the firewall is dropping out-of-order segments. Is there any way I can turn this feature off ?
Thanks,
Ian
!
! Last configuration change at 01:08:43 EST Sat May 8 2010 by ian
! NVRAM config last updated at 01:12:18 EST Sat May 8 2010 by ian
!
version 12.4
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname [removed]
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 4096
!
no aaa new-model
clock timezone EST -5
!
crypto pki trustpoint TP-self-signed-4226416467
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4226416467
revocation-check none
rsakeypair TP-self-signed-4226416467
!
!
dot11 syslog
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.254
ip dhcp excluded-address 192.168.1.1 192.168.1.100
!
ip dhcp pool [removed]-pool
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
domain-name [removed].net
dns-server 192.168.1.3 192.168.1.7
lease 0 2
!
!
ip cef
ip domain list [removed].net
ip domain name [removed].net
ip name-server 192.168.1.3
ip name-server 192.168.1.7
ip port-map smtp port tcp 587
ip port-map imaps port tcp 465
ip port-map ssh port tcp 22003
ip port-map ssh port tcp 22004
ip port-map ssh port tcp 22005
ip port-map ssh port tcp 22006
ip port-map ssh port tcp 22007
ip port-map ssh port tcp 22008
ip inspect log drop-pkt
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
!
username admin privilege 15 secret 5 $1$SJDJ$S6tLtbzMchP05QCHpG7HE1
username ian privilege 15 secret 5 $1$zLaw$pAvLLShdYLXaBfmdgHPPE1
!
!
!
archive
log config
hidekeys
!
!
ip ssh version 2
ip scp server enable
!
class-map type inspect match-any WebTraffic
match protocol http
match protocol https
class-map type inspect match-any Access
match access-group name AllowedIn
class-map type inspect match-any Misc
match protocol ntp
class-map type inspect match-any Deny
match access-group name DenyIn
class-map type inspect match-any Outbound
match protocol tcp
match protocol udp
match protocol icmp
class-map match-any Routing-1
match ip dscp cs6
class-map match-any Signaling-1
match ip dscp cs3
match ip dscp af31
class-map type inspect match-any SSH
match protocol ssh
class-map type inspect match-any SIP
match protocol sip
class-map match-any Voice-1
match ip dscp ef
class-map type inspect match-any Email
match protocol pop3
match protocol pop3s
match protocol smtp
match protocol imap
match protocol imap3
match protocol imaps
class-map type inspect sip match-any SIP2
match protocol-violation
!
!
policy-map type inspect sip SIPOK
class type inspect sip SIP2
allow
policy-map type inspect In2Out
class type inspect SIP
pass
class type inspect Outbound
inspect
class class-default
drop log
policy-map type inspect Out2In
class type inspect Deny
drop log
class type inspect SIP
pass
class type inspect Misc
inspect
class type inspect Email
inspect
class type inspect SSH
inspect
class type inspect Access
inspect
class type inspect WebTraffic
inspect
class class-default
drop log
policy-map QoS-Policy-1
class Voice-1
priority percent 50
class Signaling-1
bandwidth percent 5
class Routing-1
bandwidth percent 5
class class-default
fair-queue
random-detect
!
zone security Inside
description Inside network
zone security Outside
description Outside network
zone-pair security Out2In source Outside destination Inside
service-policy type inspect Out2In
zone-pair security In2Out source Inside destination Outside
service-policy type inspect In2Out
!
bridge irb
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 8/35
vbr-nrt 500 500
tx-ring-limit 3
service-policy output QoS-Policy-1
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description Virtual Interface for FastEthernet 0-3
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface Dialer0
description Virtual Outside Interface
bandwidth 512
ip address [x.x.x.x] 255.0.0.0
ip mtu 1492
ip nat outside
ip virtual-reassembly
zone-member security Outside
encapsulation ppp
dialer pool 1
dialer string "*99#"
dialer-group 1
fair-queue
no cdp enable
ppp authentication chap pap callin
ppp chap hostname [removed]@[removed].net
ppp chap password 7 01475252095A525D
ppp pap sent-username [removed]@[removed].net password 7 13514344595D5078
!
interface BVI1
description Bridge-Group Virtual Interface for Bridge Group 1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security Inside
ip tcp adjust-mss 1412
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
ip route 10.71.42.0 255.255.255.0 192.168.1.6 permanent
ip http server
ip http port 2420
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.7 25 [x.x.x.x] 25 extendable
ip nat inside source static tcp 192.168.1.7 80 [x.x.x.x] 80 extendable
ip nat inside source static tcp 192.168.1.7 110 [x.x.x.x] 110 extendable
ip nat inside source static tcp 192.168.1.6 123 [x.x.x.x] 123 extendable
ip nat inside source static tcp 192.168.1.7 143 [x.x.x.x] 143 extendable
ip nat inside source static tcp 192.168.1.7 220 [x.x.x.x] 220 extendable
ip nat inside source static tcp 192.168.1.7 443 [x.x.x.x] 443 extendable
ip nat inside source static tcp 192.168.1.7 465 [x.x.x.x] 465 extendable
ip nat inside source static tcp 192.168.1.7 587 [x.x.x.x] 587 extendable
ip nat inside source static tcp 192.168.1.7 993 [x.x.x.x] 993 extendable
ip nat inside source static tcp 192.168.1.7 995 [x.x.x.x] 995 extendable
ip nat inside source static udp 192.168.1.6 1194 [x.x.x.x] 1194 extendable
ip nat inside source static udp 192.168.1.8 3478 [x.x.x.x] 3478 extendable
ip nat inside source static udp 192.168.1.8 4569 [x.x.x.x] 4569 extendable
ip nat inside source static tcp 192.168.1.20 5001 [x.x.x.x] 5001 extendable
ip nat inside source static tcp 192.168.1.8 5038 [x.x.x.x] 5038 extendable
ip nat inside source static udp 192.168.1.8 5060 [x.x.x.x] 5060 extendable
ip nat inside source static udp 192.168.1.8 10000 [x.x.x.x] 10000 extendable
ip nat inside source static udp 192.168.1.8 10001 [x.x.x.x] 10001 extendable
ip nat inside source static udp 192.168.1.8 10002 [x.x.x.x] 10002 extendable
ip nat inside source static udp 192.168.1.8 10003 [x.x.x.x] 10003 extendable
ip nat inside source static udp 192.168.1.8 10004 [x.x.x.x] 10004 extendable
ip nat inside source static udp 192.168.1.8 10005 [x.x.x.x] 10005 extendable
ip nat inside source static udp 192.168.1.8 10006 [x.x.x.x] 10006 extendable
ip nat inside source static udp 192.168.1.8 10007 [x.x.x.x] 10007 extendable
ip nat inside source static udp 192.168.1.8 10008 [x.x.x.x] 10008 extendable
ip nat inside source static udp 192.168.1.8 10009 [x.x.x.x] 10009 extendable
ip nat inside source static udp 192.168.1.8 10010 [x.x.x.x] 10010 extendable
ip nat inside source static udp 192.168.1.8 10011 [x.x.x.x] 10011 extendable
ip nat inside source static udp 192.168.1.8 10012 [x.x.x.x] 10012 extendable
ip nat inside source static udp 192.168.1.8 10013 [x.x.x.x] 10013 extendable
ip nat inside source static udp 192.168.1.8 10014 [x.x.x.x] 10014 extendable
ip nat inside source static udp 192.168.1.8 10015 [x.x.x.x] 10015 extendable
ip nat inside source static udp 192.168.1.8 10016 [x.x.x.x] 10016 extendable
ip nat inside source static udp 192.168.1.8 10017 [x.x.x.x] 10017 extendable
ip nat inside source static udp 192.168.1.8 10018 [x.x.x.x] 10018 extendable
ip nat inside source static udp 192.168.1.8 10019 [x.x.x.x] 10019 extendable
ip nat inside source static udp 192.168.1.8 10020 [x.x.x.x] 10020 extendable
ip nat inside source static tcp 192.168.1.3 22 [x.x.x.x] 22003 extendable
ip nat inside source static tcp 192.168.1.4 22 [x.x.x.x] 22004 extendable
ip nat inside source static tcp 192.168.1.5 22 [x.x.x.x] 22005 extendable
ip nat inside source static tcp 192.168.1.6 22 [x.x.x.x] 22006 extendable
ip nat inside source static tcp 192.168.1.7 22 [x.x.x.x] 22007 extendable
ip nat inside source static tcp 192.168.1.8 22 [x.x.x.x] 22008 extendable
!
ip access-list extended AllowedIn
remark OpenVPN
permit udp any any eq 1194
remark iax2
permit udp any any eq 4569
remark slingbox
permit tcp any any eq 5001
remark Asterisk Manager
permit tcp any any eq 5038
remark RTP
permit udp any any range 10000 10020
ip access-list extended DenyIn
remark Hackers
permit ip host 1[x.x.x.x] any
permit ip 113.105.152.0 0.0.0.255 any
!
logging 192.168.1.6
access-list 1 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner exec
Welcme to [removed]Cisco 877 router..
-----------------------------------------------------------------------
banner login
-----------------------------------------------------------------------
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
ntp server 192.168.1.6
end
|
|
| Re: [Config] Zone-based firewall and out-or-order dropped packet here is some info from cisco on it,
»www.cisco.com/en/US/docs/ios/12_···oop.html
we used zbfw at over 120 locations and i have never seen that error message.
Questions is what is causing the packets to get out of order so badly? Is it with all traffic or only certian things? Do you think it could be an issue with your isp? (packetloss, ect?) |
|
pmlco
join:2009-09-04
Palm Coast, FL | Thanks, but it says in the document that zone-based firewalls are not supported. I tried it anyway, and it had no effect.
said by cooldude9919 
we used zbfw at over 120 locations and i have never seen that error message.
Questions is what is causing the packets to get out of order so badly? Is it with all traffic or only certian things? Do you think it could be an issue with your isp? (packetloss, ect?)
[/BQUOTE :It seems to be only certain things, but it's hard to track it down, I can say that it's happens every time trying to do an debian upgrade. It could be a problem with the ISP (AT&T) but I don't know how to track that down. I have always seen the error message, but it's only recently that I've seen a problem with upgrades, and noticed that the message is logged every time. |
|
| Ah sorry i just saw ios firewall and didnt read that much into the link. You already have the virtual reassembly command in place so i would think that would take care of it.
I also found this link, »cisconinja.wordpress.com/2009/06···ssembly/
At some point you may need to start capturing packets to really see what is going on. |
|
pmlco
join:2009-09-04
Palm Coast, FL | said by cooldude9919:Ah sorry i just saw ios firewall and didnt read that much into the link. You already have the virtual reassembly command in place so i would think that would take care of it. It doesn't seem to be doing much reassembling though...
#show ip virtual-reassembly dialer 0
Dialer0:
Virtual Fragment Reassembly (VFR) is ENABLED...
Concurrent reassemblies (max-reassemblies): 16
Fragments per reassembly (max-fragments): 32
Reassembly timeout (timeout): 3 seconds
Drop fragments: OFF
Current reassembly count:0
Current fragment count:0
Total reassembly count:24
Total reassembly timeout count:0
|
|
| yea that is pretty low, what timeframe is that over? Here is some of mine,
F1430001 uptime is 8 weeks, 6 days, 15 hours, 25 minutes
F1430001#show ip virtual-reassembly mu1
Multilink1:
Virtual Fragment Reassembly (VFR) is ENABLED...
Concurrent reassemblies (max-reassemblies): 16
Fragments per reassembly (max-fragments): 32
Reassembly timeout (timeout): 3 seconds
Drop fragments: OFF
Current reassembly count:0
Current fragment count:0
Total reassembly count:1567983
Total reassembly timeout count:59726
FCAP0002 uptime is 17 weeks, 2 days, 6 hours, 59 minutes
FCAP0002#show ip virtual-reassembly gi0/1.500
GigabitEthernet0/1.500:
Virtual Fragment Reassembly (VFR) is ENABLED...
Concurrent reassemblies (max-reassemblies): 16
Fragments per reassembly (max-fragments): 32
Reassembly timeout (timeout): 3 seconds
Drop fragments: OFF
Current reassembly count:0
Current fragment count:0
Total reassembly count:134412
Total reassembly timeout count:59726 |
|
pmlco
join:2009-09-04
Palm Coast, FL | said by cooldude9919:yea that is pretty low, what timeframe is that over? Here is some of mine, Just a couple of days, but during that time several upgrades were attempted, and dozens, if not more, dropped packet messages were logged... I'll keep an eye on it. |
|
|
|
pmlco
join:2009-09-04
Palm Coast, FL
1 edit | reply to pmlco
I haven't made any progress, except that I turned off the ZBF and downloads proceeded normally, I am therefore pretty sure it's a problem with the ZBF.
Reading this document
»www.cisco.com/en/US/docs/ios/sec···p1064382
it appears that support for out-of-order packet processing in the ZBF was introduced in IOS 15.0(1)M. Unless anyone suggests that this is not a good idea, I will try upgrading to 15.0(1)M2, but it will have to wait for a couple of weeks.
Thanks
Ian
Update: make that 15.1(1)T, 15.0(1)M2 requires 192 MB of DRAM. |
|
pmlco
join:2009-09-04
Palm Coast, FL | reply to pmlco
Just to close this topic, upgrading IOS to 15.1(1)T fixed the problem without any configuration changes. Downloads now proceed normally.
Thanks,
Ian. |
|
