ODBC - Excessive TCP/IP packets

I'm trying to track down why reports from my WebApp are running so slow when connected to Oracle and I've discoverd that there is an unusually high amount of TCP/IP traffic between the Web Server and the Oracle Server as the report is being generated. When I connect my WebApp to SQL Server version of the database the reports run very fast.
Using a Process Monitor I discovered that, when Connected to Oracle, a report that returns zero (0) rows generates 2,671 TCP/IP packets between IIS and the Oracle server, and it takes 16 seconds to generate the report. If I run the same report, but connected to SQL Server, there are only 35 TCP/IP packets and the report runs in less than 2 seconds.
Is there some ODBC or Oracle configuration that I'm missing which is causing the excessive TCP/IP packets?
Oracle Driver: 11g ( SQORA32.DLL ) version 11.02.00.03 dated 10/30/2011.
Database: Oracle 11g
Web Server: Windows Server 2008 32bit with IIS7

922502 wrote:
Fetch Buffer Size = 64000
Looking at the TCP/IP packets, in almost all cases the length of the packet is less than 3k and at least 75% of them are less than 500 byte.
These reports are created with Crystal Reports 2008.
If I run the same report from Crystal Reports designer using the same ODBC driver against the same Oracle database there are only 8 TCP/IP packets.
It just seems like there is some config issue between IIS and the ODBC driver.Check for the client (or driver side) trying to play clever by parsing SQL and doing extra work (generating nested SQLs) in order to validate and optimise that SQL. This was disabled in the driver layer by enabling an option called pass-thru in the past. It was a major cause of increasing the amount of SQL client-server traffic.

Similar Messages

Getting the data from a TCP/IP packet

I am dealing with an industrial network that sends and recieves data over TCP/IP between a sort of supervisory system running on Unix and some machines via a bridge that converts messages onto other non TCP/IP networks. This is all old legacy equipment and the bridge now need upgrading. However the original source code is not availiable and no-one is very sure of the messages being sent. I thought it was going to be easy knocking something together in Java to intercept these messages and test various things but have come up against big problems.
The main problem being that all the data is binary meaning I cant use any of the reader or writer classes I am used too. I am trying to use either DataInputStream or BufferedInputStream to read data in but am struggling. Idealy I need to be able to read (once) the complete data content of each packet that is sent and I need to tell each time a new packet of data arrives so that I can process it as a complete packet. As far as I know there are no eof or eol or any other details that tell me how many bytes of data there are, and they do vary in length, but each packet is a seperate message or message reply.
I was hoping that there might be someway of getting this information from the TCP/IP layers but cant see how to do it as that all seems to work invisibly. Nor can I see any methods to call on the stream classes that indicate how to tell the lenght of the latest packet or when a new packet has arrived. I am not sure how some of the methods like mark() and reset|() are supposed to be used so am not sure if I couuld use these but am desperate for any help or pointers in the right direction.

The TCP/IP packets can represent complete messagesThere is no guarantee to this effect anywhere in TCP/IP. Consider the case where a single message requires multiple writes. Consider the case where a write contains the end of one message and the beginning of another. Consider the case where there are multiple messages in a single packet. Consider ... There are just too many of these cases.
The TCP/IP takes care of numbering the packets so that they can be reasembled in the correct order. Each TCP/IP packet contains information about the size of data the packet contains ...Thank you, I do know how TCP works.
so in theory if we could get at the TCP/IP layers we should be able to get this information.No. You can get all the packet information out of packets. What you can't get is message information, because it isn't in there. It's in the application protocol, which to TCP/IP is just a stream of bytes. You can get the stream of bytes that the application sent. What it means is up to you.
I really need to be able to read each packet of data seperately to be able to do anything with itWhy? Given the lack of correlation between writes() and packets and reads() due to TCP streaming, what is the point? And if you want packets you already have them via your sniffer.
From your first post:
each packet is a seperate message or message reply.You can't rely on that. There is no guarantee of this anywhere in TCP/IP.
I also direct your attention to the Nagle algorithm, which coalesces outgoing packets under common conditions.

Manipulating Raw IP and TCP headers / packets in 5.0

I apologise in advance if this question has been asked previously. I've checked the archives.
I currently have a Perl poller that will do two things...
1. Sends an ICMP type 8 packet to a remote host
2. Sends a TCP SYN packet to a remote host & port
I need to replace this with a threaded version of the same thing and would like to implement it in Java.
All I can see plastered around in the community (google) is that Java can't work at this level and that C/C++ native methods should be used instead.
I don't have any issues with this, but I guessed it would be quiker (don't know why) if it was all done in Java.
Is this still the case with Java 5.0?
Thanks
And no - this isn't homework ;0)

Rocksaw will get you started, I have tried it but it looks a bit like the author has lost interest. Your best choice is to do this kind of work in C or as Java with JNI. Rocksaw and JPCap will give you a lot of hints if you decide on the Java route.

Tcp trace packets

Hi all,
Is there anyway of blocking tcp trace packets that are being sent from outside interface to inside ? i have an application that is listening on port 80. Now its a requirement that hackers or unwanted users should not be able to send tcp trace packets to this port, it needs to be blocked ?. Is there anyway of doing it ?

Hello John,
The idea is that if your internal http server is availible for everyone, different scanners will identify this port as opened. Only thing that you can do, is to allow access to this server only for trusted sources using access-lists.
Thank you.

ODBC with TCPS listener

Hi, I am using an Oracle 9i server with a TCPS (SSL-encrypted TCP/IP) listener. I can't seem to get ODBC clients working with this listener.
I can successfully use this TCPS listener with all of the regular Oracle clients (SQLplus, Enterprise Mgr, etc.)
I can successfully use ODBC with the TCP (non-encrypted) listener.
When I try to connect with ODBC over TCPS (e.g. to import data into Excel), the connection freezes. Has anybody else ever successfully used the encrypted listener in this way?
Here are my particulars:
Database server: 9.2.0.4 on Linux
Database client: 9.2.0.4 (both Oracle Client and ODBC driver) on Windows XP
Any help appreciated!!
--Andy Stevens
New York, NY

yes the TCPS listener is part of Oracle Advanced Security.
--andy

TCP reset packet issue on Cisco 6509 switch

Hi,
We are connecting a malware prevention appliance to a SPAN port on cisco switch 6509 which uses IOS firmware.
When the Malware appliance send TCP RST packet to the switch, it does not accept it.
Please help with what additional config to be done on the switch or the span sport so that the packet is received by the switch.

Hello, Wasim.
No sure if 6500 supports the feature, but 3750 does:
monitor session destination int f0/1 ingress vlan 100
This last part allows SPAN port to send traffic into VLAN 100 (more details here -
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_52_se/configuration/guide/3750scg/swspan.html#wp1260596)

Terminating established connections with TCP RST packet

Hi,
I'm making a small application for our campus. The idea is to block certain connections from outside of our network to hosts in our network. I'm analyzing the connections using jpcap, this API also has a send method that sends packets, I thought that I can terminate the connections by sending RST packet to the source but it doesn't work, connections don't terminate. Obviously I don't get any error message from the host where I'm sending it to. I think that problem might be in sequence number or something like that. For now I set the sequence number of RST packet to (acknowledgment number from the last packet that comes from the outside host+1) is this where I'm going wrong?
Cheers.

This isn't really a Java question, although I'm sure ejp will have some good advice.
I suggest you look at the relevant TCP RFCs.

Counting TCP/IP packets

Hello,
I want to implement an SNMP Agent using Java, and I would like to know how can I count the packets coming and outgoing (IP, UDP, TCP, etc). This is to instrument the RFC1213 MIB. I don?t have access to the TCP/IP stack code, so I can?t use socket or something to count the packets. Is there any classes/methods to allow me to do this?
Thanks a lot
Fabio Mansur

I want to implement an SNMP Agent using Java, and I
would like to know how can I count the packets coming
and outgoing (IP, UDP, TCP, etc). This is to
instrument the RFC1213 MIB. I don?t have access to the
TCP/IP stack code, so I can?t use socket or something
to count the packets. Is there any classes/methods to
allow me to do this?
Not in standard java. And you can't normally do that in a normal install of windows either - if that matters.
http://netresearch.ics.uci.edu/kfujii/jpcap/doc/index.html

TCP / UDP packets not reaching destination

Hi all,
I have an ASR at the hub of 3 different routing domains.
I have two OSPF processes and one BGP process all on the same ASR.
BGP routes are redistributed in to both OSPF processes and vice versa. Plus, between the two OSPF processes, routes are also redistributed. Summary addresses are configured at the ASBR before the routes are injected in to Area 0 on each OSPF process.
ICMP from a source host in one OSPF process to a destination in the BGP process works fine, but any TCP traffic hangs awaiting a SYN/ACK.
I need to prove that the router is routing the packet toward the egress interface and that the packet is leaving the router. I was wondering if there were any debug commands that I can restrict to a particular host IP so that it does not bring the router down.
I know about Embedded Packet Capture, but unfortunately the IOS-XE version that I am running is not new enough so we do not have EPC on our ASR.
I appreciate that I have given only limited information.
Any advice appreciated.
Thanks
Mario

Mario
If you don't want to risk debug then i always used a basic but pretty reliable method ie. acls.
If you create an extended acl with the first line allowing the source IP of the host to any and then a second line with a "permit ip any any" and then apply it outbound to the egress interface it should show if the packets are being routed correctly and sent on towards the destination.
Obviously the "permit ip any any" line is very important
Edit - i haven't used the ASRs so it is possible they process all their acls in hardware in which case the hits may not show as they don't always on L3 switches that process acls in hardware.
So bear that in mind.
Jon

Questions about the TCP Null packet signature

does this event trigger even if there is one packet without any of the flags SYN, FIN,ACK RST set ? or does it happen only if there are 10 packets out of 100 without the flags ?
Just trying to understand how this event triggers

You can use creationPolicy="all" on the Accordion and it will
create all the children, not just the first one. The downside to
this is that your app will take a little longer to start up.
Consider this:
Child 2:
<mx:TextInput id="input" />
If you trying to set child2.input = "something", a better way
would be to use data binding:
Child 2:
[Bindable] public var inputValue:String;
<mx:TextInput id="input" text="{inputValue}" />
Now you can do: child2.inputValue = "something"; If the UI of
child2 have not been created, setting inputValue has no ill effect;
as soon as the controls on child 2 are created, data binding will
assign the value. If child 2 has already been created, the data
binding will also assign the value.
You can deactivate the click event on the Accordion by
intercepting it and stopping its propagation, but you have to do
this in ActionScript, you cannot do this in MXML.
myAccordion.addEventListener( "change", accHandler, true );
// true means to use capture phase
private function accHandler( event:flash.events.Event ) :
void
if( event.target is
mx.containers.accordionClasses.AccordionHeader ) {
event.stopImmediatePropagation();
The idea is that you intercept the click event as it travels
downward through the components (the capture phase). If the target
of the event is an AccordionHeader, you stop the event from going
further - that is, from reaching the AccordionHeader itself.
You can put this event handler on the Accordion or its parent
upwards to the Application.

Catch malformed tcp ip packets

Hello,
I made an application in LabVIEW 2012 32bit, that communicates with an xPC Target through the xPCAPI dll from Simulink Real Time. The communication is made with TCP/IP and I'm using the Call Library Function Node to access the dll.
I request an array of signals to the xPC Target every 500ms and my LabVIEW application works fine for a period of time that can be 3 minutes to an hour and then LabVIEW just closes.
We catched the error message from the xPC, which seems to be causing LabVIEW to crash and it is "Deformed message" error. (It also has the "TCP/IP Read Error").
I'm not very experienced with Networks, does anybody know how this error is produced and if I can catch it so my main application won't crash?
Thank you!

Hi Marco,
I found out what is causing the problem, but still can't figure out how to fix it.
I'm not using the TCP/IP communication VIs from LabVIEW, but a call function library node for the xPC dll.
That DLL has a connection function and a set of functions to communicate with the xPC Target using an ID generated with the connection function.
After the connection is stablished, I start requesting information from the xPC every 500ms (so my code is basecally that call of the function inside a while).
The parameters of my function are a vector data pointer for the values, an array with the ID of the signals I'm requesting and the number of signals (array size).
Everything is fine until an error appears (I've seen TCP/IP Error or Malformed Message) this can be after 30 minutes, 1 hour, 2 hours, it seems to appear faster, if I reduce the delay between calls.
In the call of the function with error, i receive an array of zeros for my values. In the next call I receive the previous values that I didn't get because of the error, so I get some kind of offset between the calls of the function and the answer of the function:
Request 1 --> Answer 1
Request 2 --> Answer 2
Request 3 --> Error
Request 1 --> Answer 3
Request 2 --> Answer 1
I try disconnecting and reconnecting to clean the data queue, and though it seems to work, the problem reappears until i can't reconnect anymore.
I'm not sure what is causing the error, so any idea or suggestion is welcome!

Import / Export and TCP packets relay

Hi All,
Any idea what relationship Export/ Import on a local box has on the TCP/IP packets ? I see tremendous amount of packets (42000 / sec) on a Windows 64 bit box while doing Import / Export. Its from an 8i to 10g so the Import / Export.

On a local server you don't need to use TCP/IP.
Generally speaking export is just a series of SELECTs. The nomal array interface applies, the size of the array is indicated by the buffer parameter.
One array is fragment by sqlnet in packages of SDU size, default 2048 bytes.
These packages are being fragmented by the network card, as the default MTU is 1500 bytes.
Sybrand Bakker
Senior Oracle DBA

WRT54GX2: TCP packets blocked (except SYN/SYN-ACK) to internet

I'm using WRT54GX2 with latest FW 1.01.22 and I've been running into internet connectivity with one of my laptop (Toshiba MX35-S149 using Atheros). From this laptop DNS/ping works to the internet (UDP/ICMP) but all of the TCP data packets from the internet are being blocked by the router (I think). All of the other PC's continue to work with no problem.
Rebooting the router (power cycle) causes thing to work again for this laptop but after some time (15-20 minutes or so) once again the problem comes back. I've already spent about 3 hours with support on this but no luck.
I did a packet capture on the laptop and any HTTP request show TCP SYN, SYN-ACK packets but no data packets. The laptop continues to do the retransmission. At this point I can still PING and DNS resolve any of the names.
The HTTP to the router's page (192.168.1.1) continues to work without any problem (still using the wireless NIC). Hard-wiring the laptop to router works fine.
I asked the support if I can do a packet capture on the router itself but I was told "That is not possible".
I'll add the packet capture files later today.
Any help is appreciated as I don't think I'll get any help from the tech-support.
TIA,
Navras

Interesting - I have a similar problem however I am trying to block packets going out. So you say that it allows the TCP for a little while then later it is blocked.
Why are you trying to pass TCP into the computer specifically?
Do you have a firewall on your laptop that you can check the logs off?
I have been with support for my issue which is basically the BLOCKED SERVICES options are all greyed out. I need to block udp/tcp packets from going out on exactly the same router, same firmware as yours. They just read scripts from their help desk manuals and do not really seem to understand problems that are NOT in the scripts. Too bad I was hoping after cisco took over linksys would get better at customer support, not the other way.
I saw a post previously that states that the same router DOES NOT HAVE the blocked services as a function. The manual and screen seem to indicate otherwise.
Interesting...let us know what happens.
danee

Why does StreamSocket::ConnectAsync set up two TCP connections when proxy is configured in system?

Hello, Dear all,
Per my test, the proxy for HTTPS will be selected as the actual used one for the out-going packets if we do the following test in an corporate network environment. Two connections will be set up: one is with the proxy, the other one is with the target address.
Some info about my env:
1. the configured proxy could only be accessed in the corporate network;
2. the target host has both private and public IPs;
3. I don't check whether there is proxy configured in code.
4. the issue could only occurr in the private network; If I do the test out of the corporate network, the behavior is correct because no proxy is configured. But I am not sure whether the issue would occur if there would be a usable proxy configured.
The repro steps are:
1. Create a Windows Store App project with VS2013. The testing code is pretty simple as the following:
using namespace Windows::Networking::Sockets;
StreamSocket^ streamSock = ref new StreamSocket();
IAsyncAction ^sconn = streamSock->ConnectAsync(
ref new Windows::Networking::HostName("10.1.2.3"), "56789",
SocketProtectionLevel::PlainSocket);
The target address and port (10.1.2.3:56789) could be any meaningful or bad one. We only need to observe the packet sent out from the client side in the following steps.
2. Configure the proxy in Internet Options -> Connections -> LAN Settings -> Advanced -> Secure. Give a good proxy/port to it;
2.1. Run the program and capturing the packet from Wireshark or other tools.
   ==> You will see that a HTTP request with header "CONNECT" is sent to the proxy. That's to say, the client will connect to the proxy.
   ==> You will also see that the client side also sent out a TCP SYN packet to the remote target address (10.1.2.3:56789).
3. Disable or remove the proxy setting;
3.1. Run the program and capturing the packet from Wireshark or other tools.
   ==> You will see that there would be no HTTP request sent out.
I am using Win8.1/VS2013 and the system is up-to-date... I am not sure the behavior is designed as this, or it is a bug of the StreamSocket?
BTW: I didn't use Windows::Networking::Connectivity::NetworkInformation::GetProxyConfigurationAsync on purpose.
For the classical WinSock, we could only see the TCP SYN packet in step 2. That's to say, the behaviors between StreamSocket and WinSocket are different.
Thank you all.

A workaround to avoid proxy connection requests from being sent out is to use the
ConnectAsync(Hostname, String, SocketProtectionLevel,
NetworkAdapter) method with a specific adapter. The proxy-related logic is disabled when a specific network adapter is selected.
You can retrieve the main active network adapter by calling GetInternetConnectionProfile() and then referencing the NetworkAdapter property of the returned information:
ConnectionProfile^ connectionProfile = NetworkInformation::GetInternetConnectionProfile();
NetworkAdapter^ adapter = connectionProfile->NetworkAdapter;
You could also enumerate all possible adapters and try to connect on each of them, one by one:
for each (HostName^ localHostInfo in NetworkInformation::GetHostNames())
if (localHostInfo->IPInformation != nullptr)
NetworkAdapter^ adapter = localHostInfo->IPInformation->NetworkAdapter;
// Attempt to connect with this adapter.

Default class map is dropping all Packets

Hello I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time. I thought I had a pretty good program until I found all my traffic was getting dropped. This is my first stab at ZBFWs and I am a bit confused esp with the default class part. Any help is greatly appreciated!!!!
The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,
Guest VLAN has access to 2 IP's in Data for printing.
Cisco871#sh run
Building configuration...
Current configuration : 8005 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
hostname Cisco871
boot-start-marker
boot-end-marker
logging buffered 4096
no logging console
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock summer-time PST recurring
crypto pki trustpoint TP-self-signed-4004039535
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4004039535
revocation-check none
rsakeypair TP-self-signed-4004039535
crypto pki certificate chain TP-self-signed-4004039535
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303034 30333935 3335301E 170D3038 30323037 30373532
32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30303430
33393533 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CEC2 7B89C73F AB4860EE 729C3B64 82139630 239A2301 8EA8B4C4 05505E25
B0F24E7F 26ECEC53 3E266E80 F3104F61 BDDC5592 40E12537 2262D272 08D38F8E
147F5059 7F632F5E 635B9CDF 652FFE82 C2F45C60 5F619AF0 72E640E0 E69EA9EF
41C6B06C DD8ACF4B 0A1A33CF AF3C6BFB 73AD6BE0 BD84DD7F 435BD943 0A22E0E5
F4130203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
551D1104 18301682 144C7570 696E2E44 61627567 61626F6F 732E6F72 67301F06
03551D23 04183016 801473C6 E0784818 29A89377 23A22F5E BDD430CE E282301D
0603551D 0E041604 1473C6E0 78481829 A8937723 A22F5EBD D430CEE2 82300D06
092A8648 86F70D01 01040500 03818100 299AD241 442F976F 4F030B33 C477B069
D356C518 8132E61B 1220F999 A30A4E0C D337DCE5 C408E3BC 0439BB66 543CF585
8B26AA77 91FA510B 14796239 F272A306 C942490C A44336E0 A9430B81 9FC62524
E55017FA 5C5463D7 B3492753 42315BEC 32B78F24 D10B0CA7 D1844CD5 C3E466B9
3543BD68 A4B2692D 05CBF6DC C93C8142
            quit
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.5
ip dhcp excluded-address 172.16.15.1 172.16.15.5
ip dhcp excluded-address 172.16.15.14
ip dhcp excluded-address 172.16.17.1 172.16.17.5
ip dhcp excluded-address 192.168.19.1 192.168.19.5
ip dhcp pool MyNetNative
   import all
   network 10.0.0.0 255.255.255.248
   default-router 10.0.0.1
   domain-name MyNetNet.org
   dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
   lease 0 2
ip dhcp pool MyNetData
   import all
   network 172.16.15.0 255.255.255.240
   dns-server 172.16.15.14 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
   default-router 172.16.15.1
   domain-name MyDomain.org
ip dhcp pool MyNetVoice
   import all
   network 172.16.17.0 255.255.255.240
   dns-server 172.16.15.14
   default-router 172.16.17.1
   domain-name MyDomain.org
ip dhcp pool MyNetGuest
   import all
   network 192.168.19.0 255.255.255.240
   default-router 192.168.19.1
   domain-name MyNetGuest.org
   dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
ip domain name MyDomain.org
ip name-server 172.16.15.14
ip name-server 4.2.2.4
ip inspect log drop-pkt
multilink bundle-name authenticated
parameter-map type inspect TCP_PARAM
parameter-map type inspect global
username MyAdmin privilege 15 secret 5 MyPassword
archive
log config
hidekeys
class-map type inspect match-all MyNetGuest-access-list
match access-group 110
class-map type inspect match-any Base-protocols
match protocol http
match protocol https
match protocol ftp
match protocol ssh
match protocol dns
match protocol ntp
match protocol ica
match protocol pptp
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all MyNetGuest-Class
match class-map MyNetGuest-access-list
match class-map Base-protocols
class-map type inspect match-all MyNetNet-access-list
match access-group 100
class-map type inspect match-any Voice-protocols
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any Extended-protocols
match protocol pop3
match protocol pop3s
match protocol imap
match protocol imaps
match protocol smtp
class-map type inspect match-all MyNetNet-Class
match class-map MyNetNet-access-list
match class-map Voice-protocols
match class-map Extended-protocols
match class-map Base-protocols
policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
policy-map type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
policy-map type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
class type inspect MyNetGuest-access-list
inspect
class class-default
policy-map type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
class type inspect MyNetGuest-Class
inspect
class class-default
policy-map type inspect MyNetNet-zone
class class-default
pass
zone security MyNetNet-zone
zone security MyNetGuest-zone
zone security MyNetWAN-zone
zone-pair security MyNetNet->MyNetGuest source MyNetNet-zone destination MyNetGuest-zone
service-policy type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
zone-pair security MyNetGuest->MyNetWAN source MyNetGuest-zone destination MyNetWAN-zone
service-policy type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
zone-pair security MyNetGuest->MyNetNet source MyNetGuest-zone destination MyNetNet-zone
service-policy type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
interface FastEthernet0
description Cisco-2849-Switch
switchport mode trunk
speed 100
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
description SBS-Server
switchport access vlan 10
spanning-tree portfast
interface FastEthernet4
description WAN
no ip address
ip mtu 1492
ip nat outside
ip virtual-reassembly
zone-member security MyNetWAN-zone
ip tcp adjust-mss 1452
duplex auto
speed auto
no cdp enable
interface Vlan1
description MyNetNative
ip address 10.0.0.1 255.255.255.248
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
ip tcp adjust-mss 1452
interface Vlan10
description MyNetData
ip address 172.16.15.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
interface Vlan20
description MyNetVoice
ip address 172.16.17.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
interface Vlan69
description MyNetGuest
ip address 192.168.19.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetGuest-zone
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
access-list 100 remark MyNetnet
access-list 100 permit ip 10.0.0.0 0.0.0.7 any
access-list 100 permit ip 172.16.15.0 0.0.0.31 any
access-list 100 permit ip 172.16.17.0 0.0.0.15 any
access-list 110 remark MyNetGuest
access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.2
access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.3
access-list 110 deny   ip 192.168.19.0 0.0.0.15 10.0.0.0 0.0.0.7
access-list 110 deny   ip 192.168.19.0 0.0.0.15 172.16.15.0 0.0.0.31
access-list 110 deny   ip 192.168.19.0 0.0.0.15 172.16.17.0 0.0.0.15
access-list 110 permit ip 192.168.19.0 0.0.0.15 any
control-plane
banner login ^CC
You know if you should be here or not.
         if not please leave
NOW
^C
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
scheduler max-task-time 5000
ntp server 172.16.15.14
webvpn cef
end
Cisco871#sh zone security
zone self
Description: System defined zone
zone MyNetNet-zone
Member Interfaces:
    Vlan1
    Vlan10
    Vlan20
zone MyNetGuest-zone
Member Interfaces:
    Vlan69
zone MyNetWAN-zone
Member Interfaces:
    FastEthernet4
Cisco871#sh zone-pair security
Zone-pair name MyNetNet->MyNetGuest
    Source-Zone MyNetNet-zone Destination-Zone MyNetGuest-zone
    service-policy MyNetNet-zone_to_MyNetGuest-zone_policy
Zone-pair name MyNetNet->MyNetWAN
    Source-Zone MyNetNet-zone Destination-Zone MyNetWAN-zone
    service-policy MyNetNet-zone_to_MyNetWAN-zone_policy
Zone-pair name MyNetGuest->MyNetWAN
    Source-Zone MyNetGuest-zone Destination-Zone MyNetWAN-zone
    service-policy MyNetGuest-zone_to_MyNetWAN-zone_policy
Zone-pair name MyNetGuest->MyNetNet
    Source-Zone MyNetGuest-zone Destination-Zone MyNetNet-zone
    service-policy MyNetGuest-zone_to_MyNetNet-zone_policy
Cisco871#sh int faste4
FastEthernet4 is up, line protocol is up
Hardware is PQUICC_FEC, address is 0016.9d29.a667 (bia 0016.9d29.a667)
Description: WAN
Internet address is 10.38.177.98/25
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:34:50, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 2000 bits/sec, 3 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
     593096 packets input, 73090812 bytes
     Received 592752 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog
     0 input packets with dribble condition detected
     9940 packets output, 1016025 bytes, 0 underruns
     0 output errors, 0 collisions, 3 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
Zone-pair: MyNetNet->MyNetWAN
Service-policy inspect : MyNetNet-zone_to_MyNetWAN-zone_policy
    Class-map: MyNetNet-Class (match-all)
      Match: class-map match-all MyNetNet-access-list
        Match: access-group 100
      Match: class-map match-any Voice-protocols
        Match: protocol h323
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol skinny
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol sip
          0 packets, 0 bytes
          30 second rate 0 bps
      Match: class-map match-any Extended-protocols
        Match: protocol pop3
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol pop3s
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol imap
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol imaps
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol smtp
          0 packets, 0 bytes
          30 second rate 0 bps
      Match: class-map match-any Base-protocols
        Match: protocol http
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol https
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol ftp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol ssh
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol dns
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol ntp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol ica
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol pptp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol icmp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol tcp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol udp
          0 packets, 0 bytes
          30 second rate 0 bps
      Inspect
        Session creations since subsystem startup or last reset 0
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [0:0:0]
        Last session created never
        Last statistic reset never
        Last session creation rate 0
        Maxever session creation rate 0
        Last half-open session total 0
    Class-map: class-default (match-any)
      Match: any
      Drop (default action)
        5196 packets, 256211 bytes
Cisco871#sh log
Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
    Console logging: disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging: level debugging, 1745 messages logged, xml disabled,
                     filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
    Persistent logging: disabled
No active filter modules.
ESM: 0 messages dropped
    Trap logging: level informational, 1785 message lines logged
Log Buffer (4096 bytes):
001779: *Feb 15 11:00:55.979: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:61806 => 168.94.0.1:53 with ip ident 511 due to policy match failure
001780: *Feb 15 11:00:59.739: %FW-6-DROP_TCP_PKT: Dropping Other pkt 172.16.15.6:4399 => 168.94.69.30:443 due to policy match failure -- ip ident 515 tcpflags 0x7002 seq.no 974122240 ack 0
001781: *Feb 15 11:01:26.507: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:51991 => 168.94.0.1:53 with ip ident 625 due to policy match failure
001783: *Feb 15 11:01:57.891: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:64470 => 168.94.0.1:53 with ip ident 677 due to policy match failure

Hello Charlie,
I would recomend you to investigate a little bit more about how the ZBFW features works
Now I am going to help you on this one at least, then I will give you a few links you could use to study
We are going to study traffic from MyNetNet-zone to the MyNetWan-zone
First the zone-pair
zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
so lets go policy-map
policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
Finally to the class map
class-map type inspect match-all MyNetNet-Class
match class-map MyNetNet-access-list
match class-map Voice-protocols
match class-map Extended-protocols
match class-map Base-protocols
That keyword MATCH-ALL is the one causing the issues!!
Why?
Because you are telling the ZBFW to inspect traffic only if matches all of those class-maps so a packet will need to math the base protocols and the extended protocol and as you know that is not possible ( Just one protocol )
So here are the links
http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/
https://supportforums.cisco.com/thread/2138873
http://pktmaniac.info/2011/08/zone-based-firewalls-something-to-keep-in-mind/
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
You have some work to do
Please remember to rate all the helpful posts
Julio
CCSP

ODBC - Excessive TCP/IP packets

Similar Messages

Maybe you are looking for