Troubleshooting IOS Firewall Feature Set – CBAC

Posted on November 23, 2010


1, Get a config where CBAC is enabled and access-list are applied on the interfaces
If the configuration of the CBAC and ACL is wrong then the following steps will show wrong results.
Check the configuration of the router before you suggest the followings.

2, Check the “show commands” output
2.1 Check the inspection states
I would check the output of those commands:

IOSFirewall(config)# show ip inspect config –> This shows the full inspection config (default values are also shown).
IOSFirewall(config)# show ip inspect statistics –> This shows the current session count.
IOSFirewall(config)# show ip inspect sessions detail –> This shows the current sessions info (Dynamic ACE counter are also here).

Link for “show ip inspect” commands

2.2 Check the processes (we should see the process that handles CBAC)

IOSFirewall(config)# show processes cpu
IOSFirewall(config)# show processes memory

Link for “show processes” commands

3, Check the logging output
3.0 Install a syslog server on a PC, that has access to the router
1. Link for a Windows based free syslog server (Kiwi)
2. Link for a Windows based free syslog server (tftpd)

3.1 Configure the logging on the router

IOSFirewall(config)# logging syslog-server-ip-address
IOSFirewall(config)# service timestamps log datetime
IOSFirewall(config)# logging trap debugging
IOSFirewall(config)# logging on
IOSFirewall(config)# ip inspect audit-trail

Link for “ip inspect audit-trail” command
Link for “logging” command

3.2 Test the Internet access
Download a very large file, we need long time session for troubleshooting.
3.3 Send the logs to the Cisco TAC Support
3.4 After the test change back the severity level for logging

IOSFirewall(config)# logging trap previous-severity-level

4, Debugging the CBAC
Most important debugs are usually:

IOSFirewall(config)# debug ip inspect detailed
IOSFirewall(config)# debug ip inspect object-creation
IOSFirewall(config)# debug ip inspect object-deletion
IOSFirewall(config)# debug ip inspect tcp
IOSFirewall(config)# debug ip inspect http —> if the http is the issue or is used.

Link for the “debug ip inspect” commands

5, Contact the TAC
If you reached the step 4 without even an idea what the problem can be, than send the debugs to the TAC.


Link for Configuring Cisco IOS Firewall with IOS 12.4
Link for CBAC

Check the commands (mainly the debug commands) if they can affect the performance of the router, before you suggest it to the customer.
Go to lab start a download through a router with CBAC config and test the commands suggested above.