A faulty Router?

[MulLa]

Hi All,

In relation to this earlier Thread I have since wiped the config and started all over again.

Basically, the router is downloading from the net at dial-up speed for some reason.

Having rebuilt the config, I found out that whenever I enable IOS firewall either through CLI or through SDM the router would start downloading at dial-up speed. Whenever I restore it back to a previous non firewalled config it goes back to normal speed.

Anyone has any ideas on what's going on? Could it be a hardware fault?

Thanks in advance for any assistance.

 

[nightowl]

So the IOS FW is causing the router to slow down then? That should not be the case and I would not think it would be a HW problem as it would either work or not work. I think you said that you looked at CPU utilization but can you check the "show proc cpu hist" to see what the real time CPU utilization is? Also, try reducing the firewall inspect commands to the below configuration and see how it performs.

ip inspect name fwall tcp router-traffic
ip inspect name fwall udp router-traffic

Also, here is what I have on a router and I do not see any performance degradation with these inspect commands

ip inspect name FIREWALL http
ip inspect name FIREWALL https
ip inspect name FIREWALL ddns-v3
ip inspect name FIREWALL daytime
ip inspect name FIREWALL dns
ip inspect name FIREWALL ftp
ip inspect name FIREWALL icmp
ip inspect name FIREWALL isakmp
ip inspect name FIREWALL ipsec-msft
ip inspect name FIREWALL ntp
ip inspect name FIREWALL sip
ip inspect name FIREWALL ssh
ip inspect name FIREWALL tcp router-traffic
ip inspect name FIREWALL udp router-traffic

 

[jlazzaro]

are you running a deferred IOS release? possible bug?

 

[MulLa]

Thanks everyone for your input!

nightowl tried what you suggested started off with:
ip inspect name fwall tcp router-traffic
ip inspect name fwall udp router-traffic

Then gradually build up, I found that whenever I enable either of the below
ip inspect name FIREWALL http
ip inspect name FIREWALL https

The speed would drop off. No other inspect rules would do that, CPU usage is always ~5% and memory ~20% so I still have plenty of additional resources.

jlazzaro
I'm using 12.4(6)T1 version of the Advanced Security featureset IOS. Is there any location that I can check a list of bugs associated with a particular IOS, I'm beginning to think that perhapse a bug associated with http(s) inspection rules.

Thanks everyone in advance, there seemed to be light at the end of the tunnel!!!

 

[heymrdj]

Just a little off but it is slightly parallel. I run Webmin on my 5 linux servers running here on my local network. Makes it easy to transfer files and stuff because Webmin has root access and a built in file manager. If I use SSL encryption between my computer and my Webmin computers, my what should normally be 35,000~KBs transfers goes down to 112KBs. Both the server and my client are hardly seeing any increase in resource usage. The encryptions and firewalls just tend to slow stuff down horribly. I'm clueless as to why.

 

[jlazzaro]

Cisco Bug Toolkit

nothing really popped out at me, but have a look...

going by your previous thread, theres no dropped packets right? ip inspect log drop-pkt comes up with nothing? it does seem like a software issue...try a new image, else call TAC?

edit: heymrdj, recommend you start a new thread. unless you're running IOS with CBAC, these 2 issues are very unrelated.

 

[nightowl]

mula, I am running 12.4(11)T2 right now on my router(s) and it seems to work fine. I have not disabled the HTTP inspection to see if that affects the speed or not. My speeds seem fine right now with the inspection policies turned on.

Edit: I just disabled the http inspection policies and there was no chance in my d/l speeds from the web. I would upgrade the IOS to see if that helps.

 

[SwiftWind]

Mula, can you copy paste show run?

Also, what type of wan connection are you using?

 

[jlazzaro]

Originally posted by: SwiftWind
Mula, can you copy paste show run?

Also, what type of wan connection are you using?

http://forums.anandtech.com/me...id=36&threadid=2068651

 

[MulLa]

Thanks again for everyone's helps:

heymrdj
Understand that it might cause some slight performance degredation but it's probably a bit severe in my case and certainly not normal.

nightowl
Thanks for your self experimentation I have updated my IOS to 12.4(6)T7 unfortunately my router only comes with 32MB flash and I can't upgrade any higher Upgrading didn't help at all tho, tempted to dig out an old camera CF card and using that, wonder if that will work :S

jlazzaro
Going over bug toolkit and found THIS could this be it? "All affected version" shows 12.4(6) but not the T7. It says it's a memory leak issues which should mean my router would run out of DRAM but it doesn't :S

Might see if I can borrow a CF somewhere and upgrade to a more recent version of IOS and see...

Thanks once again everyone.

 

[heymrdj]

jlazzaro I wasn't hijacking a thread, I was simply stating issues with security. My routers firewall will cause this issue as well, which is why I leave it off.

IMHO, when I've looked through the bug kit ect, I'd say your router is faulty. Especially seeing that you have reset the router back to factory and it is still having the same issue.

 

[nightowl]

Mula, I would check the size of the actual file before downloading it because it might fit on your flash. Also, you do not really need the HTTP inspection unless you are looking to do Java blocking.

 

[MulLa]

Finally it's fixed!!!!

Well as nightowl as suggested I checked the file size of some of the later IOS'es and one was 23MB in size so I thought I'd give that a try it was 12.4(11).T3 and now even with http & https inspection turned on it still downloads at the expected speed range.

One last question, is it a good idea to only have ~400KB left in the flash memory? Being relatively n00b in Cisco does the router write stuff to the flash during its normal operations or does it only do it to the DRAM?

But, thanks for everyone that helped and posted! :thumbsup:

 

[jlazzaro]

you're fine with 400kb in flash. for the most part flash is only for storing images.

you can store configuration files or system information in flash, and on some high-end systems flash is also used to hold bootstrap software.

 

[MulLa]

Thanks jlazzaro! Now I can sleep better at night Or at least until another issue crops up! But thanks once again to everyone.