ACS DB Replcation Fails Through Cisco Firewalls w/Skinny Policy Inspect

Unanswered Question
Jun 27th, 2007

We run Cisco ACS v3.3 (Windows) on two servers over our WAN, and replcate the internal databases for redundancy. The problem is that replications fail between the ACS servers and it is because of the default port the ACS servers use to replicate over...TCP 2000.


Between the two servers are Cisco ASA firewalls running 7.2.2(19). We run Cisco MGCP VoIP phones between the sites as well, which utilize TCP 2000 for call control.


When the policy-inspect skinny command is enabled on the firewalls, the ACS server replcation breaks, because the firewall sees that the TCP 2000 packets for the DB replication are not VoIP call control packets.


Is there a way to reconfigure the ACS servers so they use a different port other than TCP 2000? (Registry hack, ini file edit, something???)


Frankly, it is rather lame of Cisco to implement an already defined port for their DB replication that defined in IETF as a well know port for the skinny protocol. Even worse is that this problem continues to exist into v4.0 as I understand it.


An no...we should not have to disable the inspect-policy for skinny on the ASA's. :-)


Any help to qwell my frustration on this topic would be appreciated.


Thanks,


-Scott

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Wed, 06/27/2007 - 16:22

Scott,

If disabling the inspection of the skinny protocol is not feasible, the following

configuration sample may be incorporated into the firewall configuration so that replication traffic is not affected by the skinny fixup:


In this example, the ACS servers are at IP addresses 10.1.2.3 and 10.4.5.6.


#Define what traffic you want inspected:

!

access-list skinny_acl extended deny ip host 10.1.2.3 host 10.4.5.6

access-list skinny_acl extended deny ip host 10.4.5.6 host 10.1.2.3

access-list skinny_acl extended permit tcp any any eq 2000

!

#Create a class map to match the acl

!

class-map skinny_map

match access-list skinny_acl

!

#Under the global policy, take the skinny inspection out of the

#class inspection_default, and add it under our new class

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

class skinny_map

inspect skinny

!

service-policy global_policy global

!


###Will be inspected for skinny###


FWSM(config-pmap-c)# show service-policy flow tcp host 172.16.1.2 host 172.16.5.6 eq 2000


Global policy:

Service-policy: global_policy

Class-map: skinny_map

Match: access-list skinny_acl

Access rule: permit tcp any any eq 2000

Action:

Input flow: inspect skinny

FWSM(config-pmap-c)#


###Will not be inspected for skinny###

FWSM(config-pmap-c)# show service-policy flow tcp host 10.1.2.3 host 10.4.5.6 eq 2000


Global policy:

Service-policy: global_policy

FWSM(config-pmap-c)#



Regards,

~JG


Please rate if helps !

Actions

This Discussion