> AaronComp#sh ip inspec sis det > Established Sessions > Session 8334C194 (192.168.10.57:1036)=>(24.158.63.45:80) http SIS_OPEN > Created 00:58:42, Last heard 00:50:20 > Bytes sent (initiator:responder) [117:1741] > Initiator->Responder Window size 65535 Scale factor 0 > Responder->Initiator Window size 5840 Scale factor 0 > In SID 24.158.63.45[80:80]=>x.y.132.210[1036:1036] on ACL From_WAN (7 matches)
This would certainly suggest that traffic is making it past CBAC properly (session has gone SIS_OPEN, rather than stuck in SIS_OPENING), and there's both in and out counters updated. > But I never see those dynamic entries added to the ACL, and the return > traffic gets dropped. I've done it before, worked as designed. Is > there something I'm just not getting here? Note that since 12.3T ("IOS Firewall ACL Bybass"), CBAC doesn't prepend to ACL's. Prior to that, a 'sh ip access-li' would show all of the active sessions, now those are only reflected in 'sh ip inpsec sess'. Since you have generic TCP inspection enabled, there's no value in using legacy CBAC HTTP inspection -- try dropping 'ip inspect name To_WAN http' and see how it looks (if you want to scrutinize HTTP, use appfw). Alternatively, try re-enabling 'ip virtual-reassembly' on Fas0/0.100. Lastly, add 'ip inspect log drop-pkt' and see if anything interesting it logged when the connections fail. _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/