Traffic problems on Cisco edge router with BGP and CBAC.
Posted on 2003-03-15
Looking in Google, for some hints related to CBAC - BGP interference I found in EXE:
> What you have to be careful of on the edge routers is any stateful configurations like CBAC or
> other IOS Firewall features i.e. ip-inspect, and be very careful in your access-lists...
I am stuck in apparently same type of problem: a Cisco 3662 with CBAC (ip inspect..., including ip inspect name...tcp, udp and ftp) and BGP with 2 neighbours, running ok for one month, then suddenly almost all tcp traffic is blocked for a day or so, then again ok, etc. Last time it happened a day ago and our ISP told me about an equipment replacement, but with all the same configuration restored, etc.
When the problem appears, the symptoms are:
- most of the tcp traffic is blocked, mainly http, ftp; icmp is ok
- if the config is reloaded, traffic resumes for 1 to 10 min depending of the traffic load, then it is blocked again
- there aren't significant error messages on the console, except (not sure if always) a FW one: "%FW-4-ALERT_ON: getting aggressive, count (806/1200) current 1-min rate: 1401" (ip inspect set limit, 1400)
- traffic resumes if I include an ip inspect name ... http, but apparently there are some delays, and speed is affected.
The temporary fix is dropping the FW, and using only acl's.
On the Cisco 3662 router there are 2 serial interf, bgp multihomed, and 2 FastEth interf for 2 different networks. Same ip inspect name... in on fasts, same acl in on serials. There is one more acl in on FastEth0/0 for filtering allowed ip's.
Can somebody help me with some (links with) recommendations/precautions when using CBAC on BGP Cisco routers?
Thank you for any hints!
P.S. Sorry, it worth much more than 75 points, I know...