Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco 3640 dropping HTTP

Status
Not open for further replies.
Javamahn

Javamahn

Technical User
Joined
Mar 14, 2001
Messages
143
Location
US
I have a cisco 3640 IOS 12.4(5) with a T1-WIC on the outside and Fast Ethernet on the inside. The system is setup with 2 site-to-site IPSEC tunnels and a basic firewall inspect on th inside interface. The internal network 10.1.1.x is dynamically natted to 1 public IP address and I have 3 internal servers statically natted. When I browse to certain websites the browser times out. usairways.com is one. I can get to the 1st page but when searching for a reservation the links dies. I have a syslogger turned on and this is the error I see when the browser times out.

---------------------------------------------------------
000063: Feb 22 11:50:49.396 MST: %FW-3-RESPONDER_WND_SCALE_INI_NO_SCALE: Dropping packet - Invalid Window Scale option for session 10.1.1.162:3025 to 151.193.204.8:80 (Initiator scale 0 Responder scale 0)
---------------------------------------------------------

Here is some of the config:

no ip bootp server
ip inspect udp idle-time 60
ip inspect dns-timeout 25
ip inspect tcp finwait-time 25
ip inspect tcp synwait-time 60
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW netbios-ssn
ip inspect name SDM_LOW microsoft-ds
ip inspect name dmzinspect tcp
ip inspect name dmzinspect udp
ip ips notify SDEE

Here are the access-lists
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 100 permit ahp 10.1.1.0 0.0.0.255 any
access-list 100 permit gre 10.1.1.0 0.0.0.255 any
access-list 100 permit esp 10.1.1.0 0.0.0.255 any
access-list 100 permit icmp any any log
access-list 100 deny ip 216.x.x.x 0.0.0.3 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip any any log
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 log
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.0.0.0 0.0.0.255 10.1.1.0 0.0.0.255 log
access-list 101 permit udp host 70.x.x.x host 216.x.x.x eq non500-isakm
p
access-list 101 permit udp host 70.x.x.x host 216.x.x.x eq isakmp
access-list 101 permit esp host 70.x.x.x host 216.x.x.x
access-list 101 permit ahp host 70.x.x.x host 216.x.x.x
access-list 101 permit ip host 70.x.x.x host 216.x.x.x
access-list 101 permit udp host 71.x.x.x host 216.x.x.x eq non500-isakmp
access-list 101 permit udp host 71.x.x.x host 216.x.x.x eq isakmp
access-list 101 permit esp host 71.x.x.x host 216.x.x.x
access-list 101 permit ahp host 71.x.x.x host 216.x.x.x
access-list 101 permit udp any host 216.x.x.x eq non500-isakmp
access-list 101 permit udp any host 216.x.x.x eq isakmp
access-list 101 permit gre any host 216.x.x.x
access-list 101 permit esp any host 216.x.x.x
access-list 101 permit ahp any host 216.x.x.x
access-list 101 permit udp any any eq domain
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any host 216.x.x.a eq smtp
access-list 101 permit tcp any host 216.x.x.a eq www
access-list 101 permit tcp any host 216.x.x.a eq 443
access-list 101 permit tcp any host 216.x.x.b eq www
access-list 101 permit tcp any host 216.x.x.b eq 443
access-list 101 permit tcp any host 216.x.x.b eq 3389
access-list 101 permit tcp any host 216.x.x.c eq 8080 log
access-list 101 permit tcp any host 216.x.x.d eq 22 log
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit udp host 132.163.4.101 eq ntp any eq ntp
access-list 101 permit udp host 132.163.4.102 eq ntp any eq ntp
access-list 101 permit tcp any host 216.x.x.x eq 22
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 172.16.1.0 0.0.0.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any log

ACL 100 is applied in on the inside and 101 is applied in on the outside. The only other item might be the commands

no ip source-route
ip tcp synwait-time 40
ip tcp window-size 750000

I tried to maximize the window size hoping that would fix the problem

If anyone has any ideas why this is happening or needs more infomation please let me know. CCO is no help so far.
 
Sort by date Sort by votes
I wonder if this could be a 12.4 IOS bug?

marcmongeau are you running the same IOS version?

----------------------
Cisco Forum | News
 
Upvote 0 Downvote
I am rolling back to 12.3 tomorrow. According to some help I got in ciscoHQ Thread here , CBAC is doing exacly what it is suppose to do. There is a router in the link betyween myself and usairways.com that is rewriting the window scale option to 0 when my router is not expecting a 0 therefore the CBAC drops the packets. I will let you all know more when I drop back to 12.3
 
Upvote 0 Downvote
No luck I loaded 12.3-17a on the system and I am still get Window scaling problems. Not rteally sure what to do from here. The only way to access the website is turning off all access lists and inspects. I am not really sure what to do from here.
 
Upvote 0 Downvote
I upgraded to the last version of 12.4(7)... and still the same issue. FYI i'm using a 1841 router instead.
 
Upvote 0 Downvote
I loaded this morning ios 123-8.T8 and it working... what did cisco change between those version. I will open a case with TAC.
 
Upvote 0 Downvote
Thanks for the info I will load it. Can you verify the exact filename that you used.
 
Upvote 0 Downvote
I can verify that 123-8.T8 is indeed working with regard to the dropped packets. I loaded the version with fw/ids/3des and it works fine. Thank you marcmongeau.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Blackybear
  • Locked
  • Question Question
Cisco RV042G router
Replies
0
Views
319
Blackybear
Blackybear
B
  • Locked
  • Question Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
401
badwolf1686
B
pbxcomm
  • Locked
  • Question Question
CISCO VG450
Replies
1
Views
810
nt8d09
nt8d09
CPM86
  • Locked
  • Question Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
557
CPM86
CPM86
Skip Rango
  • Locked
  • Question Question
how to backup cisco sg500-52p switch
Replies
1
Views
795
madwok
madwok

Part and Inventory Search

Sponsor

Back
Top