|
Author
|
Topic: cisco.com opens slow
|
josma
Jr Member
Member # 24154
Rate Member
|
posted May 14, 2008 05:32 AM
Hi,
i have a firewall configured on my 1700 series router.
Cisco.com and few other sites are really slow but when I disable ip inspect and ACL from the interface it works great.
I disabled NetFlow too because it slowed down our internet traffic.
Posts: 5 | From: Sarajevo | Registered: Dec 2007
| IP: Logged
|
|
Sebastian Pasternacki
Guru
Member # 3512
Member Rated:
|
posted May 15, 2008 03:55 AM
1700 is not a powerful box (depends on model), so maybe if you have to many feature enables the CPU is overutilized.
Check "show proc cpu" when all of required features are enabled.
Posts: 173 | From: Ireland | Registered: Jun 2002
| IP: Logged
|
|
josma
Jr Member
Member # 24154
Rate Member
|
posted May 15, 2008 04:06 AM
CPU utilization is fine.
Is there a way to exclude cisco.com from ip inspect?
Posts: 5 | From: Sarajevo | Registered: Dec 2007
| IP: Logged
|
|
Sebastian Pasternacki
Guru
Member # 3512
Member Rated:
|
posted May 15, 2008 04:19 AM
Show your configuration, so maybe we will find a solution
Posts: 173 | From: Ireland | Registered: Jun 2002
| IP: Logged
|
|
josma
Jr Member
Member # 24154
Rate Member
|
posted May 15, 2008 04:32 AM
Here you go
quote:
ip inspect log drop-pkt
ip inspect audit-trail
ip inspect tcp max-incomplete host 100 block-time 1
ip inspect name ZaVox h323
ip inspect name ZaVox h323callsigalt
ip inspect name ZaVox h323gatestat
ip inspect name NatovaniServisi ftp
ip inspect name NatovaniServisi tftp
ip inspect name NatovaniServisi user-RDP
ip inspect name msan user-sym
ip inspect name msan user-rdp_msan
ip inspect name msan icmp router-traffic
ip inspect name Rec_fw appfw test
ip inspect name Rec_fw ftp
ip inspect name Rec_fw tftp
ip inspect name Rec_fw icmp router-traffic
ip inspect name Rec_fw http
ip inspect name Rec_fw https
ip inspect name Rec_fw telnet
ip inspect name Rec_fw h323 router-traffic
ip inspect name Rec_fw h323callsigalt
ip inspect name Rec_fw sip
ip inspect name Rec_fw imap secure-login
ip inspect name Rec_fw imap3
ip inspect name Rec_fw imaps
ip inspect name Rec_fw ntp
ip inspect name Rec_fw pop3
ip inspect name Rec_fw snmp
ip inspect name Rec_fw snmptrap
ip inspect name Rec_fw dns
ip inspect name Rec_fw dnsix
ip inspect name Rec_fw user-RDP
ip inspect name Rec_fw user-rdp_msan
ip inspect name Rec_fw user-sym
ip inspect name Rec_fw esmtp
ip inspect name Rec_fw ssh
ip inspect name Rec_fw tcp router-traffic
ip inspect name Rec_fw udp router-traffic
ip inspect name fw_in tcp router-traffic
ip inspect name fw_in udp router-traffic
ip inspect name fw_in icmp router-traffic
permit udp host 192.36.143.150 eq ntp host xxxxxxxxxxxxxx eq ntp
20 permit icmp any any echo (666959 matches)
30 permit icmp any any echo-reply (2 matches)
40 permit esp any host xxxxxxxxxxxxxxx (1389344 matches)
50 permit tcp any host xxxxxxxxxxxxxxxx range ftp-data ftp (219474 matches)
60 permit udp any host xxxxxxxxxxxxxxxx eq tftp
70 permit udp any host xxxxxxxxxxxxxx eq isakmp non500-isakmp (326801 matches)
80 permit gre any host xxxxxxxxxxxxxxxxxx
88 deny ip host 213.171.198.20 any (80 matches)
89 deny ip host 200.21.208.13 any (31 matches)
90 permit tcp any host xxxxxxxxxxxxxxx eq 2224 (21031 matches)
91 deny ip host 217.76.49.60 any (24 matches)
100 permit tcp any any eq 22 (2929169 matches)
110 deny udp any any eq 5060 log
120 deny ip any any log (153319 matches)
Posts: 5 | From: Sarajevo | Registered: Dec 2007
| IP: Logged
|
|
UBBFriend: Email this page to someone!
Printer-friendly view of this topic