Cisco WAN :: 3750 Downloads Stall With Ip Inspect Enabled
Mar 14, 2011
I've been trying to figure this out for some time now. I have a network setup with a couple of users, as well as a few servers. I'm using a 3640 as my border router that is connected to a 3750 with L3 routing enabled. I am using the IOS firewall in the 3640 and am having problems with downloads and connections in general on the LAN. Downloads will start at fast speeds (~1MB/s) but after a short time, it will begin slowing to a crawl or idle. I have disabled my ip inspect rules and found that the downloads will function at full speed for the entire download.
I've looked over the router configs several times, and I don't see anything unusual. Is there anything I should be looking for? I would like to think that this router can handle the traffic of about 5 computers.
View 16 Replies
ADVERTISEMENT
Apr 26, 2012
I have enabled SSH on my 3750 switches and notice that https is not working. Iam not sure they are related but seems to be oddly coincidental. Therefore find it diffficult to monitor using CNA 5.7.6.
configs are given below
gvadc-sf01#sh run | i ip http
ip http server
ip http access-class 11
ip http secure-server
From my machine, i should normally have access to https running on the switch but isnt the case..
Do I need to generate a new crypto key separately for https?
View 5 Replies
View Related
Apr 18, 2011
I have a 7.0.164.0 WCS that I am trying to upgrade to 7.0.172.0 In the system infrastructure we have three 4400-50 controllers with a total of about 90 access points (1231's, 1131's, 1142's, and 3500's) The server is a VM with 2GB of ram and about 4GB of free hard drive space (the WCS software is installed on the D: partition). The WCS installer goes through the initial setup and gets to the point of "Migrating Data" and basically stalls. I started the upgrade Friday at 11:30AM and finally killed it at about 9:00AM on Monday (almost 3 full days).
I then uninstalled the partial 7.0.172.0 installation, and also uninstalled the 7.0.164.0 installation. I then did a clean install of 7.0.164.0 and imported my backup. After i verified that everything was working correctly I then tried the 7.0.172.0 upgrade again. Currently its almost at 24 hours of sitting at "Migrating Data"
View 10 Replies
View Related
Oct 20, 2009
I have a 3845 enabled for CDP connected to a stack of 3750 switches. From the router, i dont see any CDP neighbors. From the switch, i can see the router as neighbor. Why isn't the switch showing as a neighbor from the router side? [code]
View 3 Replies
View Related
Jan 3, 2012
I would like to apply a policy-based route on one of our L3 switches (Cisco 3750) to change the next-hop of a couple of servers only. The VLAN where those servers reside got WCCP enabled on it. When I want to apply the route-policy to that VLAN interface it doesn't let me. When I try to apply the same policy to a VLAN interface without WCCP it does work. Is there any Cisco IOS limitations that would prevent me from doing that?
Configuration:
route policy config:
access-list 70 permit ip host x.x.x.x (server IP)
route-map PBR1 permit 10
[Code].....
View 1 Replies
View Related
Nov 14, 2012
We have a 3750 acting as the core. By default IGMP snooping is enabled on cisco 3750 from the documents.but, when we see the ip mroute table on the switch, it doesnt show any output.
View 40 Replies
View Related
Apr 16, 2012
ip inspect firewall should be performing no inspection on traffic traversing an IPSec VPN right?
View 2 Replies
View Related
May 6, 2013
user from home PC via Anyconnect making RDP session to work PC, on this PC Microsoft policy allow making disk mappind via RDP. Is that posible to inspect this traffic and deny this(disk mapping) action on ASA5585-X with IPS?
View 1 Replies
View Related
Apr 28, 2013
im in the progress of Configuring a Cisco 881 Router, for a branch office.Behind this Router they have an PBX, is it prossible to inspect SIP packet using CBAC, and thereby open for RSTP pinholes.i only have 1 Public ip adresser, and im not fond of configuring thousands of PAT to the PBX.i have with success, Accomplished this with Global Inspection on ASA Firewalls, but i dont know if this can be done with IOS as well.
View 5 Replies
View Related
Aug 15, 2012
I have a cisco ASA5520 box running with IOS version8.2(5)13 where default policy map is applied globally. But I have not seen any traffic being inspected through included protocol defined under policy map.All configuration seems to be ok for me.
service-policy global_policy global
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp, packet 0, drop 0, reset-drop 0
[code]....
View 1 Replies
View Related
Mar 4, 2012
I have a need to use a 3560 switch to terminate a provider's internet connection, but want to secure it so that it and the vlans connected to it are not wide open. At the same time, I'd like to use stateful packet inspection.
I have IOS 12.2(44)SE2, but IPBASE running on my 3560s. Is there an IOS (perhaps the ADVIPSERVICES of that version?) that allows a 3560 to use the 'ip inspect' command?
View 2 Replies
View Related
Feb 15, 2012
how to enable inspect http on ASA 5510, so that URL information populate in the syslogs?
View 2 Replies
View Related
Dec 27, 2011
ASA5510, ASA 8.0(4), ASDM 6.1(5), this is a productino ASA with plenty of lookups working through its 3 interfaces - outside, inside, dmz. The problem is a new use. I've segmented a switch on the inside network with a VLAN, and have a workstation routing through the switch to the default VLAN where all other hosts on the inside network reside so far. The ASA inside interface is the default gateway for the inside network. My test worksttion can PING inside hosts, so the static route is OK.
ASA 10.1.1.2/16 DNS Server 10.1.5.1/16
| |
------------------------------------------------------------------
|
Switch 10.1.8.20/16
[code]....
But lookups fail, Wireshark says the test workstation sends, the dns server receives and responds, but the test workstation never receives. I used the Packet Tracer tool, it gets to the last step syayin OK then finally "inspect-dns-invalid-pak". I can't find any more there to tell just what is invlid about it. So I'm trying to figure out global inspection. Here's an extract from the config:
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
[code]....
View 26 Replies
View Related
Mar 23, 2011
I have two questions about ZBF on ASR1000 with Firewall and Flexible Packet Inspection license:
1 is IPv6 supported?
2 can I use police action in an inspect rule? I want to limit some protocols to low bandwidth. There is no police command in ZBF policy map.
View 7 Replies
View Related
Feb 23, 2011
I want to block some social networking sites using ASA 5510-CSC-SSM, As I searched and come to know that ASA 5510 can't inspect and intercept for https traffic because it is encrypted while traversing throught the ASA. I want the ASA to make functioning for https too, not only http. Can i perform this task by updating any software on existing device?
View 2 Replies
View Related
May 13, 2013
I have a strange problem in my ASA 5510 firewall. I turned on HTTP inspect policy to block certain URLs, but that destroyed svn communication. Interestingly, if I use simple web-browser to access svn server - it works, but any svn-client requests fail with an error "Could not read status line: An existing connection was forcibly closed by the remote host". I did some packet sniffing, and discovered that with HTTP inspect off the Webbed request is answered, but with HTTP inspect on it is rejected with an error unauthorized. Here are examples of success and failed conversation packets:
Success:
1. <Client-IP> <Server-IP> WEBDAV WEBDAV:Request, PROPFIND /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
2. <Client-IP> <Server-IP> WEBDAV WEBDAV:HTTP Payload, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
3. <Server-IP> <Client-IP> TCP TCP:Flags=...A...., SrcPort=HTTP(80), DstPort=58882, PayloadLen=0, Seq=4139355337, Ack=3464798063, Win=258 (scale factor 0x8) = 66048 {TCP:2, IPv4:1}
4. <Server-IP> <Client-IP> WEBDAV WEBDAV:Response, HTTP/1.1, Status: UNHANDLED HTTP Status Code, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
Failure:
1. <Client-IP> <Server-IP> WEBDAV WEBDAV:Request, PROPFIND /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
2. <Client-IP> <Server-IP> WEBDAV WEBDAV:HTTP Payload, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
3. <Server-IP> <Client-IP> TCP TCP:Flags=...A.R.., SrcPort=HTTP(80), DstPort=1137, PayloadLen=0, Seq=1075661931, Ack=4049054406, Win=64240 (scale factor 0x0) = 64240 {TCP:2, IPv4:1}
4. <Client-IP> <Server-IP> TCP TCP:Flags=......S., SrcPort=1138, DstPort=HTTP(80), PayloadLen=0, Seq=1032908784, Ack=0, Win=64240 ( ) = 64240 {TCP:4, IPv4:1}
5. <Server-IP> <Client-IP> TCP TCP:Flags=...A..S., SrcPort=HTTP(80), DstPort=1138, PayloadLen=0, Seq=4184445498, Ack=1032908785, Win=8192 ( Scale factor not supported ) = 8192 {TCP:4, IPv4:1}
6. <Client-IP> <Server-IP> TCP TCP:Flags=...A...., SrcPort=1138, DstPort=HTTP(80), PayloadLen=0, Seq=1032908785, Ack=4184445499, Win=64240 (scale factor 0x0) = 64240 {TCP:4, IPv4:1}
Packet # 4 is an actual differentiators.
I found one mentioning of that error with that assessment: "Older firewall/proxies do not understand the Webbed related HTTP requests for accessing Subversion using HTTP{ URL} in that post But not any useful tips.
View 1 Replies
View Related
Aug 11, 2010
I am trying to configure my ASA 7.2(4) to inspect SCCP traffic from a CUCM v7.I have been advised that the ASA device needs to support the version of Skinny I am running.What version of Skinny does ASA 7.2(4) support? How can I find out what version my phones are using?
View 3 Replies
View Related
Oct 31, 2011
i am wanting to log dropped and oop packets on a c3825 isr with ios12.3(11)T3. on other routers(like a 2951 running 151-4.M2)i can state ip inspect log drop-pkt and it will log to buffer or syslog all dropped and oop packets. can i do this on this 3825 another way
View 1 Replies
View Related
May 12, 2013
We are currently looking at design models for a Multi-Tenancy solution.The firewall layer will be 2 X ASA's running 9.X to take advantage of VPN's in multiple context mode and mixed L3 and L2 contexts.
We will be delivering services through multiple L3 contexts (between 2 and 5 L3 contexts for services) and 1 transparent context for customers infrastructure who will then have virtual firewalls for NAT's and VPN's etc withing their own environment.
I am not very experienced with IPS so my query is; if we were to get an IPS license for both ASA's how would the IPS fit in, can we use it to inspect traffic for all the L3 contexts and the transparent context?
View 4 Replies
View Related
Mar 17, 2011
I have 2 ASA 5510 firewalls at 2 different sites. Both running on version 8.0.4. Users are using an Instant Messaging type of application provided by a local telco here which is able to send and receive SMS using SIP (from the packet capture that I've done).
When users use the IM in site A, they are able to send and receive text messages via the IM from behind the firewall. However, when the users are in site B, users are able to send out text messages but not able to receive them.
I noticed that when I remove "inspect sip" from site-B's global policy map, users from site-B can successfully receive text messages. I have confirmed that it is the firewall that drops the packets as I have captured the inside and outside interfaces of site-B's ASA and I can see the incoming sip "request: MESSAGE" packet on the outside interface but I do not see the packet exiting the inside interface.
I have cross check both firewall configurations, and I do not see anything suspicious commands relating to sip that might cause this issue. Is there any command to troubleshoot why the sip inspection is dropping the sip packets on site-B?
View 15 Replies
View Related
Jul 7, 2009
I have seen this a couple of times on two different routers. One is a 3745 and another a 1811 running 12.4(15)T4 and 12.4(6)T11, respectively.
When we have IOS firewall running (either IP inspect or ZFW), we will experience intermittent slow HTTP connections.
Symptoms include page timeouts, CSS not loading and just overall slow performance. Disabling the inspection cures the issues.
View 19 Replies
View Related
Mar 25, 2012
Very recently whenever I download a file which is in a package e.g. a rar file or an iso it always seems to be corrupt. For example I downloaded the windows 8 consumer preview multiple times and each time was corrupt. Now I know it isn't anything to do with my computer as I have this problem on all devices connected to my internet including my ps3, every game I download is corrupt and I cannot install it. I've tried all the obvious things like turning the router on and off and plugging the device directly into the router via ethernet
View 1 Replies
View Related
Sep 28, 2012
We are having bandwidth issue every now then in our corporate network and apparently it is due to some people are downloading music, videos etc.is there any way only download can be blocked?don't have any firewall in place to control that though. We have only our TPLink router and we usually block some domains using it.
View 2 Replies
View Related
Mar 5, 2012
i am using shared internet connection in hostel with belkin wireless router..how can i block users from downloading files and using torrents..?i hav admin privilages of the router.i hav tried opendns but it blocks only sites and not torrent downloadin.
View 2 Replies
View Related
Jul 8, 2011
ATT is now charging extra whenever I get get over 150 gb a month...what can I do to minimize the junk that comes onto my computer against my will?
View 9 Replies
View Related
Dec 28, 2012
I used to get speeds that exceeded 2 mb/s and now when i download steam games it fluctuates from 0 kb/s to 2.1 mb/s in an oscillating pattern. What is wrong with my internet? games that should take less than an hour to install now take 3.
View 2 Replies
View Related
Aug 30, 2011
How can I detect who is downloading big files in our network.Because it is banned in network for certain peak times. We are using DSL connection.
View 2 Replies
View Related
Jan 25, 2011
i recently done a clean install of windows xp on this laptop after having vista on there for a couple of years and ever since doing this the download speeds have seemed so much slower im not sure weather its got to do with the OS or weather its just the internet has been slow since ive installed it. Im using wireless connection to connect to my router also.
View 2 Replies
View Related
May 5, 2012
How can i block downloads on the workstations? i am using windows server 2003 and all the users are being administrated from this servers.
View 1 Replies
View Related
Apr 28, 2011
I recently switched providers and now i'm down to a 1.5 MBPS download speed (advertised at 3 MBPS but our area is only serviced for half that) so I'm trying to find something that will smooth out the capabilities of my PC's with streaming videos and such for my nephew on sites like disney.com and other sites. I can post specs later if you guys need em but one PC which I know its issue, it is around 10 years old so I'm not expecting great performance. The knew one though is only a year old with 1GB DDR2 Ram and windows XP Home. The older one has 512MB Ram....I think its SD with windows XP pro. Again I can post full stats later if needed but not really trying to trouble shoot. More looking to boost. We run 2 computers and a Wii off our wireless modem. I'm curious if somehow the computers could be configured to operate on seperate...ports I guess to minimize the lag on the modem. We are noticing that if one computer is downloading something it cause the second computer to lag or makes streaming anything all but impossible.
View 4 Replies
View Related
Jul 30, 2011
I ran a speed test with my new DIR-655 connected to my PS3 and my download is 768kbps and my upload is 1.5mbps. However, my internet connection is 50mbps and 2mbps upload on my computer connected via LAN. While I understand SOME decrease, that's slower than the previous Wireless G router that I had.
I've reset the router twice and it's currently set to the factory defaults. I've even tried setting a static ip address for the PS3 and put it into DMZ mode. However, I'm still getting the slow speeds.
Also, my iPhone 4 is getting about 14mbps download and 2mbps upload. Is that expected?
View 4 Replies
View Related
Oct 23, 2011
I have an RVS4000 with FTP download issues. I have the latest v1.3.3.5 software and the latest ISP (1.5). Regardless of any settings changes, my FTP downloads always timeout. I have tried a new basic router and had no issues, so it is not the PC, FTP software, or the ISP. I have even put my PC into the DMZ and still no resolution.
View 1 Replies
View Related
Nov 11, 2012
Running into a bit of a problem. Anytime I try to download a large file through our 5510 the download fails at different points. Cannot download via a download manger at all. I see nothing in the logs which are set to infomational.
I can connect my laptop to our internet connection outside the firewall and HTTP and download manager downloads connect and finish just fine. I go through and scrub my config for posting?
View 12 Replies
View Related
