Question : Traffic problems on Cisco edge router with BGP and CBAC.

Hello,

Looking in Google, for some hints related to CBAC - BGP interference I found in EXE:
> What you have to be careful of on the edge routers is any stateful configurations like CBAC or
> other IOS Firewall features i.e. ip-inspect, and be very careful in your access-lists...
I am stuck in apparently same type of problem: a Cisco 3662 with CBAC (ip inspect..., including ip inspect name...tcp, udp and ftp) and BGP with 2 neighbours, running ok for one month, then suddenly almost all tcp traffic is blocked for a day or so, then again ok, etc. Last time it happened a day ago and our ISP told me about an equipment replacement, but with all the same configuration restored, etc.
When the problem appears, the symptoms are:
- most of the tcp traffic is blocked, mainly http, ftp; icmp is ok
- if the config is reloaded, traffic resumes for 1 to 10 min depending of the traffic load, then it is blocked again
- there aren't significant error messages on the console, except (not sure if always) a FW one: "%FW-4-ALERT_ON: getting aggressive, count (806/1200) current 1-min rate: 1401" (ip inspect set limit, 1400)
- traffic resumes if I include an ip inspect name ... http, but apparently there are some delays, and speed is affected.
The temporary fix is dropping the FW, and using only acl's.

On the Cisco 3662 router there are 2 serial interf, bgp multihomed, and 2 FastEth interf for 2 different networks. Same ip inspect name... in on fasts, same acl in on serials. There is one more acl in on FastEth0/0 for filtering allowed ip's.

Can somebody help me with some (links with) recommendations/precautions when using CBAC on BGP Cisco routers?

Thank you for any hints!

P.S. Sorry, it worth much more than 75 points, I know...

Answer : Traffic problems on Cisco edge router with BGP and CBAC.

The best answer is - don't do it. Been there, done that.

Although Cisco has done a pretty good job with their firewall ios feature set, it is still a kludge on top of IOS, it was not designed as a firewall.

Putting all your eggs in one basket is trouble. You have two providers using BGP for redundency, so it is obviously important to you.

My suggestion is to let the router route and do the bgp thing - that's what it does very very well, and let it provide the first line of defense with some good acls.

Put in a real firewall, ie. PIX, behind the router for the statful packet inspection.

Having said all that, what is the version IOS that you are running?

Random Solutions

I want to set up a wifi network at home.

How do i set up a 2nd WAN IP over PPPoE on OneAccess 100 modem/router?

smtp service will not start

What are the different methods of processing 2-way SMS?

Two Groups, Two ISPs, One domain

SMS to web page - application recommendations needed

Virtual IP address on Win2003 Network Load Balancing (NLB) not available across VLANs/switch

How to synchronize the time of a Windows NT/95 with a Unix server

How well can I establish distance between two Bluetooth devices

Force removal of exchange