Cisco inspect sqlnet causing slow sql queries

[Karandras]

So we have a client that has a Cisco 1841 with about 25 vpns connected. One of the VPNs connects to a network that has a dbase server. When our client runs a query that returns 15 records it takes seconds to come back. Query for 150 records it take 15 minutes to come back. We were trying to track down the problem and in doing so disabled the sqlnet inspect. This fixed the problem. What would the inspect sqlnet do to slow down large queries? Would it be the router just doesn't have enough power to handle a large amount of traffic returning?

Thanks.

 

[xphil3]

Two things here, first.... your inspection is looking at every packet that hits and wants to pass through the interface where the inspection set is grouped. If you removed that, no longer would you have to inspect that traffic and create a temporary opening(Which could potentially break things as well). Anything that traverses that tunnel I would remove from your inspection group as it will be inspected and given the same trype of treatment. As long as you know which types of traffic is supposed to go over the tunnel and create your crypto ACLs to match, theres no reason to use CBAC(it wont need the temporary "ACL" anyways.

HTH

 

[Karandras]

Thanks xphil3,

Is it because the Inspect rule is scanning every packet that applies to that rule that makes it go slower? Is the hardware unable to handle the requests or is it something else?

 

[xphil3]

Thanks xphil3,

Is it because the Inspect rule is scanning every packet that applies to that rule that makes it go slower? Is the hardware unable to handle the requests or is it something else?

technically its the CPU since you're processing everything. As I understand it the ip inspect feature will inspect every packet so it can keep the respective flow active in this flow table. Personally this is the reason why I like to create GRE tunnels and run IPsec over those tunnels so I can manipulate my traffic flows accordingly.