ACE: WebDAV Traffic dropped by inspection

Answered Question
Jan 14th, 2008
User Badges:
  • Bronze, 100 points or more

I terminate http and https on the ACE. Within the L4 multi-match policy exists a class for inspection purpose.


The class itself filters on


port misuse p2p

port misuse im

port misuse tunnel


The action for a valid match is reset.


Somehow WebDAV traffic gets matched by any of the above criteria.


The only chance i have to enable WebDAV is to disable/remove the inspection from the multi-match policy.


Is this a "works as designed", "possible bug" or "bad configuration" issue?


Thanks for reading.


Roble

Correct Answer by Gilles Dufour about 9 years 4 months ago

Roble,


after some digging in the code and a discussion with the person in charge of this feature, it appears that webdav is not supported by http inspect. the http method propfind is rejected by http inspect.

This is not considered a bug.

But I believe we might add it with a feature request.


Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Gilles Dufour Mon, 01/14/2008 - 07:49
User Badges:
  • Cisco Employee,

we can't really say it was designed like this.

Now, it could be that webdav behavior is similar to any of the protocol in the list.

Do you know if the problem is for any of the protocols listed or one in particular ?? Did you try just one of them in your match statement ?

Also, do you have a trace when this occurs so we can look at the webdav request ?


Thanks,


Gilles.

Roble Mumin Mon, 01/14/2008 - 08:12
User Badges:
  • Bronze, 100 points or more

Hey Gilles...


The funny thing is any of the single statements causes match.


When the class map is filled with only one "qualifier" e.g. port-misuse p2p the inspection engine drops the packet. I tried it with every single statement. Even when the class map is empty it will drop the WebDAV packets.


I was thinking about a possible whitelist the WebDAV traffic and use the port-misuse statements as blacklist approach.


Currently i am not yet sure how to identify WebDAV Traffic within a class map.


I sniffed the connection and the only thing i see is a "regular" RST packet after the WebDAV Method "PROPFIND".


That is all i could find out so far. In my opinion this could be another bug. Because i see no reason to mark WebDAV traffic as malicious content.


But i would also face a "what the heck have you configured there" statement as long as it helps. :)


Roble

Gilles Dufour Mon, 01/14/2008 - 08:57
User Badges:
  • Cisco Employee,

ok.

I can see the same behavior in my lab.

I will investigate.


Gilles.

Roble Mumin Tue, 01/15/2008 - 01:15
User Badges:
  • Bronze, 100 points or more

Great to hear you could reproduce that behavior. So i probably end up with TAC-Call and a DevImage fixing this.


Roble

Correct Answer
Gilles Dufour Tue, 01/15/2008 - 03:09
User Badges:
  • Cisco Employee,

Roble,


after some digging in the code and a discussion with the person in charge of this feature, it appears that webdav is not supported by http inspect. the http method propfind is rejected by http inspect.

This is not considered a bug.

But I believe we might add it with a feature request.


Gilles.

Roble Mumin Tue, 01/15/2008 - 04:02
User Badges:
  • Bronze, 100 points or more

The way to go from here is TAC-Call with a feature request? Or is there another approach i should take?


Anyhow thanks for clearing up the issue.


Roble

Actions

This Discussion