Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
662
Views
0
Helpful
6
Replies

ACE: WebDAV Traffic dropped by inspection

Go to solution
Roble Mumin
Level 3
Level 3

‎01-14-2008 06:11 AM

I terminate http and https on the ACE. Within the L4 multi-match policy exists a class for inspection purpose.

The class itself filters on

port misuse p2p

port misuse im

port misuse tunnel

The action for a valid match is reset.

Somehow WebDAV traffic gets matched by any of the above criteria.

The only chance i have to enable WebDAV is to disable/remove the inspection from the multi-match policy.

Is this a "works as designed", "possible bug" or "bad configuration" issue?

Thanks for reading.

Roble

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee
In response to Roble Mumin

‎01-15-2008 03:09 AM

Roble,

after some digging in the code and a discussion with the person in charge of this feature, it appears that webdav is not supported by http inspect. the http method propfind is rejected by http inspect.

This is not considered a bug.

But I believe we might add it with a feature request.

Gilles.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎01-14-2008 07:49 AM

we can't really say it was designed like this.

Now, it could be that webdav behavior is similar to any of the protocol in the list.

Do you know if the problem is for any of the protocols listed or one in particular ?? Did you try just one of them in your match statement ?

Also, do you have a trace when this occurs so we can look at the webdav request ?

Thanks,

Gilles.

0 Helpful

Go to solution
Roble Mumin
Level 3
Level 3
In response to Gilles Dufour

‎01-14-2008 08:12 AM

Hey Gilles...

The funny thing is any of the single statements causes match.

When the class map is filled with only one "qualifier" e.g. port-misuse p2p the inspection engine drops the packet. I tried it with every single statement. Even when the class map is empty it will drop the WebDAV packets.

I was thinking about a possible whitelist the WebDAV traffic and use the port-misuse statements as blacklist approach.

Currently i am not yet sure how to identify WebDAV Traffic within a class map.

I sniffed the connection and the only thing i see is a "regular" RST packet after the WebDAV Method "PROPFIND".

That is all i could find out so far. In my opinion this could be another bug. Because i see no reason to mark WebDAV traffic as malicious content.

But i would also face a "what the heck have you configured there" statement as long as it helps. :)

Roble

0 Helpful

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee
In response to Roble Mumin

‎01-14-2008 08:57 AM

ok.

I can see the same behavior in my lab.

I will investigate.

Gilles.

0 Helpful

Go to solution
Roble Mumin
Level 3
Level 3
In response to Gilles Dufour

‎01-15-2008 01:15 AM

Great to hear you could reproduce that behavior. So i probably end up with TAC-Call and a DevImage fixing this.

Roble

0 Helpful

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee
In response to Roble Mumin

‎01-15-2008 03:09 AM

Roble,

after some digging in the code and a discussion with the person in charge of this feature, it appears that webdav is not supported by http inspect. the http method propfind is rejected by http inspect.

This is not considered a bug.

But I believe we might add it with a feature request.

Gilles.

0 Helpful

Go to solution
Roble Mumin
Level 3
Level 3
In response to Gilles Dufour

‎01-15-2008 04:02 AM

The way to go from here is TAC-Call with a feature request? Or is there another approach i should take?

Anyhow thanks for clearing up the issue.

Roble

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents