Downloads stall or stop on a Cisco 877 Router using Zone Based Firewall

I was setting up a Cisco 877 router on an ADSL 2 BT Broadband connection this week and came across an issue when downloading large files from the Internet. With the router configured, and connected everything appeared to be working OK. The ADSL connection was stable, and the VPN tunnel was up and transferring data happily. I performed a few more checks, one of which was to run a speed test using speedtest.net. The test started fine downloading at around 6.5Mb per sec but when it got halfway through it stalled and didn’t complete. Following this I tried to download a 600MB ISO file using my web browser. It downloaded about 100MB and then stalled. Subsequent attempts produced similar results, although sometimes I could only download a couple of MB, and sometimes 50MB to 100MB, but at some point the download would stop and not get any further.

Interestingly, I didn’t seem to get this problem when transferring files over the Site to Site VPN connection, as I transferred around 400MB of data across the VPN without issue. This made me think that it it could be something to do with traffic inspection on the zone based firewall. I did a little digging on the Internet, and found some information relating to out of order packets on Cisco equipment using the Zone Based Firewall. Other reports suggested that if you remove the zone based firewall, downloads proceed normally. It seemed quite a few people have had the same issue that I was having, and there were a few steps that could be taken for verification.

Firstly, in configuration mode set the logging level on the device to ‘debugging’:

 router(config)# logging buffered 51200 debugging 

Next, turn on logging of dropped packets:

 router(config)# ip inspect log drop-pkt

At this stage if you are running in a telnet session you can use the following command to output debug messages to your session:

router(config)# terminal monitor

Alternatively, you can view the log file after testing by running:

router# show logging

After adding the commands to log dopped packets, I kicked off the ISO download again and waited for it to stall. Sure enough after it stopped downloading I got the following message logged (IP addresses have been removed):

%FW-6-DROP_PKT: Dropping tcp session X.X.X.X:80 X.X.X.X:52334 due to Out-Of-Order Segment with ip ident 0

Apparently the zone based firewall has a bit of an issue with out of order packets, but fortunately support for out of order packets has been introduced in IOS versions 15 and above. This 877 router was running IOS version c870-advsecurityk9-mz.124-24.T7.bin. There was only the standard 24MB flash in this router so I upgraded to IOS version c870-advsecurityk9-mz.151-1.T4.bin.

After applying this upgrade the issue was fixed, and downloads proceeded normally.

References:

https://supportforums.cisco.com/thread/2089462

http://www.dslreports.com/forum/r24332834-Config-Zonebased-firewall-and-outororder-dropped-packets

Upgrading the adsl modem firmware on Cisco 877W router

In order to ensure compatibility and stability with your ISPs equipment in the exchange, it is at times necessary to upgrade the adsl modem firmware on your Cisco router. Download the appropriate firmware for your router (in this case a Cisco 877W). It is essential you get the correct version so take care to make sure you have the correct one. Some older updates can be found here:

ftp://ftp.cisco.com/pub/access/800/

You will need a Cisco Smartnet subscription to get the latest firmware.

Once you have downloaded the firmware (in this case adsl_alc_20190_4.0.018.bin), you need to rename the file to adsl_alc_20190.bin

Telnet into your router and check the current firmware version by running the command:

show dsl interface

From the output of the command you can see under the ‘Operation FW’ section it shows the current firmware file and version, and also that under the ‘FW Source’ it shows the location as embedded.

Next we need to copy the new firmware file to the flash memory on the router using tftp. You can use the Cisco tftp server software to do this. or alternatively download Solarwinds free tftp server software.

Place the firmware file you renamed earlier into the tftp servers root directory and then issue the following command on your router:

copy tftp flash 

fill in the ip address for your tftp server and the source and destination filename adsl_alc_20190.bin

issue the reload command to restart your router:

reload

Once your router is back up telnet into it again and run the following command again to see the result:

show dsl interface

As you can see the ‘Operation FW’ now shows the new firmware version, and the ‘FW Source’ as external. If for any reason you have a problem with the updated firmware, you can easily roll back to the embedded version by deleting the adsl_alc_20190.bin from the routers flash memory.

This can be done by issuing the following command:

delete adsl_alc_20190.bin

When asked to confirm the file deletion just press ‘Enter’