Short Threshold Values for Half-open and New Connections
It is extremely important to establish baselines for your network to find out what is normal before performing this function: manipulating different threshold values for the total number of half-open connections, or total new connection request rate. If you ambitiously set these threshold values too low, the router may go into aggressive mode and start dropping legitimate traffic. Because of this, you will not only experience packet drops, but the performance of the connections will be very poor. To prevent this, you must determine the values of these thresholds for your network.
HTTP Inspection Dilemma
If you have inspection turned on for HTTP, Java filtering is turned on by default as discussed before. HTTP inspection causes the packets to be inspected in strict order. So any out-of-order packets received are dropped, causing the packets to be retransmitted. This may cause a delay in downloading web pages. You can verify this by running the following debugs on the router:
debug ip inspect detailed
debug ip inspect tcp
debug ip inpsect http
When performance degrades due to out-of-order packets, you will receive a message as follows with the three debug commands listed previously:
Feb 17 17:37:59.428 CST: CBAC* sis 83207F08 L4 inspect result: DROP packet 833BE
CC4 (200.1.1.1:80) (20.1.1.1:4383) bytes 272 http
You can get around the problem in two ways: either turn off HTTP inspection or upgrade the code to version 12.3(5.13) or 12.3(5.13) T or above.
Note
Generally per-packet load balancing increases chances of out-of-order packets. Hence, for better performance, install per-flow load balancing instead of per-packet load balancing.