CBAC and HTTP inspection IOS bug

I was doing some work for my friend recently. One of the requirements was to provide a local Internet breakout to the office. I ended up using Dynamic PAT, Static ACL (Inbound) and Content-Based Access Control or CBAC (Outbound). CBAC was configured to support Generic UDP and TCP protocols as well as HTTP, HTTPS, IMAP, POP3, SMTP, DNS, FTP and few others. Everything was working in line with the design with one strange exception.

Some HTTP downloads were very slow (like few hundred kbps on a 100Mbps link) or were being disconnected in few minutes. To add more complexity to this, I will underline that some sites were OK, while others were NOT. Thus, I wasn’t able to say exactly where does that problem lies.

I spent few hours with Google to finally find a note which described an IOS bug that relates to the inappropriate behavior of the CBAC’s HTTP inspection. Once I disabled ACL and CBAC inspection on the interface everything returned to normal.

I have re-applied CBAC leaving only the following lines in my running-config

ip inspect name Outboud-Inspection ftp
ip inspect name Outboud-Inspection dns
ip inspect name Outboud-Inspection udp
ip inspect name Outboud-Inspection tcp

This effectively solved my issue, keeping TCP inspection (which includes HTTP).

I heard this bug has been resolved in IOS 15.X but didn’t have a chance to check. Hope that will help you to track down similar issues.

Leave a Reply

%d bloggers like this: