I have a situation where after applying ip inspect on interfaces with our ISP's and on the internal interface the following symptoms were seen:
1). CPU reached 100%
2). Session count reached 11500 sessions
3). Version IOS 12.3.14T
The configuration was ispect on icmp, tcp, udp and dns. On the interfaces inspect was applied inbound facing the ISP's and the internal network, the ACLs were also applied in the inbound direction. The timers were left at their defaults and dos was disabled. When looking at processes cpu the highest figure was on IP Input.
Any suggestions or recommendations would be appreciated.
sh ip inspect statistics Packet inspection statistics [process switch:fast switch] tcp packets: [696376:22379236] udp packets: [21012:65075] packets: [3255:7963] dns packets: [21011:65160] Interfaces configured for inspection 3 Session creations since subsystem startup or last reset 644405 Current session counts (estab/half-open/terminating) [10785:31:59] Maxever session counts (estab/half-open/terminating) [12125:116:125] Last session created 00:00:00 Last statistic reset 01:16:52 Last session creation rate 7305 Last half-open session total 31
sh ip inspect config Session audit trail is disabled Session alert is enabled one-minute (sampling period) thresholds are [400:100000000] connections max-incomplete sessions thresholds are [400:20000000] max-incomplete tcp connections per host is 100000. Block-time 0 minute. tcp synwait-time is 30 sec -- tcp finwait-time is 15 sec tcp idle-time is 3600 sec -- udp idle-time is 30 sec dns-timeout is 5 sec Inspection Rule Configuration Inspection name xxxxx-In udp alert is on audit-trail is off timeout 30 icmp alert is on audit-trail is off timeout 10 dns alert is on audit-trail is off timeout 30 tcp alert is on audit-trail is off timeout 3600