11-13-2007 01:33 PM - edited 03-05-2019 07:24 PM
Hi,
I have a new Cisco 871 router which I modeled after my original Cisco 831's. I have the http application security turned on the 871 router and what is happening is that most of yahoo sites are not coming up. When going to http://www.yahoo.com or maps.yahoo.com it immediately comes up with page not found, but mail.yahoo.com front page loads normally. This is the case with www.webmd.com, www.weather.com and maybe even more (These are the 3 I know of so far). Logs show that the packets are being dropped but I am not sure why... See the logs and part of my configuration below.
Errors ------------------------
Warning Date Sig:15 HTTP Protocol violation detected - Reset - HTTP Protocol not detected from 10.10.11.186:1347 to 69.147.114.210:80
information Date Dropping tcp pkt My_IP:1338 => 69.147.120.31:80
Config ----------------------------
ip ssh authentication-retries 2
ip inspect log drop-pkt
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH http java-list 51 urlfilter
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
appfw policy-name SDM_HIGH
application im aol
service default action reset alarm
service text-chat action reset alarm
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action reset alarm
service text-chat action reset alarm
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.com
server deny name webmessenger.msn.com
audit-trail on
application http
strict-http action reset alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action reset alarm
application im yahoo
service default action reset alarm
service text-chat action reset alarm
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yahoo.com
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo.com
server deny name edit.messenger.yahoo.com
server deny name messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail on
interface FastEthernet4
description $ETH-LAN$$FW_OUTSIDE$
ip address My_IP_Address 255.255.255.252
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_HIGH out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
Can anyone tell me what I am doing wrong here?
Thanks,
MandeepHi,
I have a new Cisco 871 router which I modeled after my original Cisco 831's. I have the http application security turned on the 871 router and what is happening is that most of yahoo sites are not coming up. When going to http://www.yahoo.com or maps.yahoo.com it immediately comes up with page not found, but mail.yahoo.com front page loads normally. This is the case with www.webmd.com, www.weather.com and maybe even more (These are the 3 I know of so far). Logs show that the packets are being dropped but I am not sure why... See the logs and part of my configuration below.
Errors ------------------------
Warning Date Sig:15 HTTP Protocol violation detected - Reset - HTTP Protocol not detected from 10.10.11.186:1347 to 69.147.114.210:80
information Date Dropping tcp pkt My_IP:1338 => 69.147.120.31:80
Config ----------------------------
ip ssh authentication-retries 2
ip inspect log drop-pkt
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH http java-list 51 urlfilter
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
appfw policy-name SDM_HIGH
application im aol
service default action reset alarm
service text-chat action reset alarm
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action reset alarm
service text-chat action reset alarm
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.com
server deny name webmessenger.msn.com
audit-trail on
application http
strict-http action reset alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action reset alarm
application im yahoo
service default action reset alarm
service text-chat action reset alarm
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yahoo.com
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo.com
server deny name edit.messenger.yahoo.com
server deny name messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail on
interface FastEthernet4
description $ETH-LAN$$FW_OUTSIDE$
ip address My_IP_Address 255.255.255.252
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_HIGH out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
Can anyone tell me what I am doing wrong here?
Thanks,
Mandeep
11-14-2007 08:49 AM
Is there anyone who knows what is happening? This issue is happening on other sites as well like webmd.com and weather.com for example. And every time this happens errors similar to the ones listed below are being logged.
Errors ------------------------
Warning Date Sig:15 HTTP Protocol violation detected - Reset - HTTP Protocol not detected from 10.10.11.186:1347 to 69.147.114.210:80
information Date Dropping tcp pkt My_IP:1338 => 69.147.120.31:80
Thanks
02-24-2008 04:42 PM
I wonder if you have solved the problem or not.
I have the same problem with router 1811. I assume the ip inspection rule has blocked the traffic. My ip inspection rule SDM_HIGH created while setting up firewalls using SDM.
I tried to remove the rule from outgoing interface and tried to connect to yahoo again, failed. I removed the ACL assigned to incoming interface, then I got through.
But if I remove ACL and leave inspect-rule alone, it wont work either.
I wont remove both of them to let my network unprotected.
How is your case going?
Lydia
02-24-2008 04:51 PM
I did it!
After I posted the msg above, I tried to modify the inspection rule.
I removed the stict-http from appfw SDM_HIGH.
And it worked straight away.
Cheers.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: