 rolandeCertifiablePremium,Mod
join:2002-05-24
Columbus, OH
Linksys
AT&T Midwest
| [Info] Inspect engine burned me again 6 or 7 years ago I got burned by the inspect engine causing me grief with SMTP traffic that was using esmtp commands. I thought I learned my lesson at that time. I guess I needed to learn it again.
So, I posted this in the Networking forum the other day... (Read for reference)
»[Other] Strange TCP throttling with Internet traffic
I ended up being able to recreate the issue from a machine outside while pushing a large file to my webserver. I could see tons of duplicate SACK packets and Fast Retransmits. So, I knew that traffic was getting dropped on the floor somewhere. Someone mentioned ip inspect having strange issues that could cause this. I thought it really odd, since I have been running the same relative config for years and on the same code for at least the last 2 years without noticing issues.
So, I did a little digging and sure enough I happen across a little article that mentions a problem with Out Of Order Packets and the inspect engine. Turns out I had downgraded my router to a 12.3 mainline IOS to avoid some nasty bugs I hit on 12.4T a couple years ago and at the time there were no fully GD releases of 12.4. I can't win for losing.
So, I took the chance and I upgraded to 12.4(15)T13 Advanced IP Services. So far, so good. I have done a decent amount of testing and all the problems I was previously experiencing seem to have magically disappeared. I have been watching the inspect statistics which shows the number of out of order packets. There is a decent amount showing up, especially when I download larger files. I am fairly confident this was the ultimate issue that has been wasting what little spare time I have for the past week. *grrrrr*
--
Scott, CCIE #14618 Routing & Switching
Too bad those that know it all can't do it all.
»www.thewaystation.com/techref/tech.shtml
»blog.thewaystation.com/ |
|
Bink
join:2006-05-14
Denver, CO
kudos:4 | I think all of us who have Cisco firewall experience have been burned by ip inspect at least once… |
|
 tubbynetreminds me of the danse russePremium,MVM
join:2008-01-16
Chandler, AZ | said by Bink:I think all of us who have Cisco firewall experience have been burned by ip inspect at least once… yes.
its even more frustrating when dealing with exchange servers behind an asa. if running pre 8.0 code (or so), you have to manually edit the service policy to allow certain esmtp commands for ssl encryption/handshaking. when running 8.0+ code, setting "inspect esmtp" suffices. either way -- the caveats suck.
its why i always run a syslog server and dump output from my cisco router to it. at least this way, i can parse logs rather than having to sit on the console/vty while testing.
glad to hear you're up and running though, rolande 
q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..." |
|
| reply to rolande
So true !
I remember the Dutch tax services to receive income tax information from the client on the smtp port.
That did not work as the outgoing information was not formatted like e proper smtp stream.
It took me about a half hour to figure this out and get the tax form out.
I agree that the inspection engine is right but hey, i had a cisco setup and had to put in the extra time to make it work where every other simple router worked out of the box. |
|
| reply to rolande
lol rolande sounds like you got a BSOD on cisco IOS so you had to install the K23498203728 which fixes the mouse from moving by itself... rofl
you know cisco IOS is buggy there ain't a list long enough to remember what not to do in what IOS version, you know that... |
|
| reply to rolande
All vendors have their issues with inspection / ALG / [insert trade name here]. Just got off an issue
myself where a vendor (who shall not be named) was inspecting on SQL traffic specifically for years in
a prod environment till a code upgrade a few weekends ago caused thruput to take a nosedive. Turn of
inspect, speeds back to normal, and of course now we're waiting for the vendor to explain how a simple
code upgrade did this.
I think the moral of the story is its not often obvious where the source of the problem is, and you
can burn cycles and patience trying to figure it out.
Regards |
|
| lol.... Nameless sidewinders are a junk... lol |
|
