01-14-2008 06:11 AM
I terminate http and https on the ACE. Within the L4 multi-match policy exists a class for inspection purpose.
The class itself filters on
port misuse p2p
port misuse im
port misuse tunnel
The action for a valid match is reset.
Somehow WebDAV traffic gets matched by any of the above criteria.
The only chance i have to enable WebDAV is to disable/remove the inspection from the multi-match policy.
Is this a "works as designed", "possible bug" or "bad configuration" issue?
Thanks for reading.
Roble
Solved! Go to Solution.
01-15-2008 03:09 AM
Roble,
after some digging in the code and a discussion with the person in charge of this feature, it appears that webdav is not supported by http inspect. the http method propfind is rejected by http inspect.
This is not considered a bug.
But I believe we might add it with a feature request.
Gilles.
01-14-2008 07:49 AM
we can't really say it was designed like this.
Now, it could be that webdav behavior is similar to any of the protocol in the list.
Do you know if the problem is for any of the protocols listed or one in particular ?? Did you try just one of them in your match statement ?
Also, do you have a trace when this occurs so we can look at the webdav request ?
Thanks,
Gilles.
01-14-2008 08:12 AM
Hey Gilles...
The funny thing is any of the single statements causes match.
When the class map is filled with only one "qualifier" e.g. port-misuse p2p the inspection engine drops the packet. I tried it with every single statement. Even when the class map is empty it will drop the WebDAV packets.
I was thinking about a possible whitelist the WebDAV traffic and use the port-misuse statements as blacklist approach.
Currently i am not yet sure how to identify WebDAV Traffic within a class map.
I sniffed the connection and the only thing i see is a "regular" RST packet after the WebDAV Method "PROPFIND".
That is all i could find out so far. In my opinion this could be another bug. Because i see no reason to mark WebDAV traffic as malicious content.
But i would also face a "what the heck have you configured there" statement as long as it helps. :)
Roble
01-14-2008 08:57 AM
ok.
I can see the same behavior in my lab.
I will investigate.
Gilles.
01-15-2008 01:15 AM
Great to hear you could reproduce that behavior. So i probably end up with TAC-Call and a DevImage fixing this.
Roble
01-15-2008 03:09 AM
Roble,
after some digging in the code and a discussion with the person in charge of this feature, it appears that webdav is not supported by http inspect. the http method propfind is rejected by http inspect.
This is not considered a bug.
But I believe we might add it with a feature request.
Gilles.
01-15-2008 04:02 AM
The way to go from here is TAC-Call with a feature request? Or is there another approach i should take?
Anyhow thanks for clearing up the issue.
Roble
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: