Odd Cisco Inspect Behavior
I was recently asked to evaluate why a network was having issues with watching youtube or download large files.
I checked speed and duplex, every thing was fine on my and their sides.
show int |
I checked the CPU and everything was fine.
show proc cpu history |
To rule out the rest of their network, they unplugged their switch from the 2800 series router and connected their laptop straight in. The issue persisted.
On issuing some show interface commands I noticed that the interface was displaying input errors along with ignored. I found an article that say these in conjunction with buffer errors say you don’t have adequate buffer space…however I was receiving no buffer issues. The article pointed towards some hardware issues.
router#show interface Gi0/1 Gigabit0/1 is up, line protocol is up ... 21 input errors, 0 CRC, 0 frame, 0 overrun, 21 ignored |
I happened to have a spare router that was equivalent, so I duplicated their config and gave it to them to swap out. They swapped the gear and the issue persisted…hmmmm.
I noticed in the config that there were some “ip urlfilter exclusive-domain” command entered. This is used in conjunction with something like Websense or N2H2 for web filtering…but they don’t have such a service. It turns out they were trying to do some web filtering. I then noticed that their default inspection policy included HTTP.
ip inspect name DEFAULT http |
I issued the no command on the http inspection and low and behold everything cleared up. It seems that a router with an http inspection policy killing streaming connections will manifest as input and ignored only.
Good day and happy routing.