Problem with ASA and Blue Coat

Answered Question
Jul 25th, 2008
User Badges:

Hi,

We have ASA 5520 in our network. Blue Coat (SG 510) is connected behind the ASA for web filtering. Blue Coat is configured as transparent device.

Blue Coat IP is 10.138.74.5.

Now the problem is from last one moth I am getting high BW utilization issue. Whenever I have connected the Blue Coat the BW utilization increased very high.

We have 4 MB internet link and sometimes it choke the entire BW. If I removed the Blue Coat everything normalized and working fine.


To resolve this issue I checked with Blue Coat vendor and after long experiment they told that problem with ASA configuration.

In Blue Coat logs we are getting lots public ip which should show internal ip only.


I have checked my ASA access-list configuration and didn't get anything wrong.In my ASA I have access-list configured for inbound access in Outside interface only.


I have attached my ASA configuration and Blue Coat logs.


Any kind of help would be appreciated….


Regards,

som



Correct Answer by dhananjoy chowdhury about 8 years 10 months ago

Hi, Can you try configuring the Web Access Layer rules as per below:


1 Allow only your inside IP subnets to Any Destination

2 Deny any(source) any(Destination)



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
dhananjoy chowdhury Sat, 07/26/2008 - 01:19
User Badges:
  • Silver, 250 points or more

Hi Somenath,

I filtered the requests from the Public Ip's in the Blucoat logs you have provided.

All these requests were of the following types :


TCP_MISS = The requested object was not in the cache.

TCP_NC_MISS = Object returned from the origin server was non-cacheable.

TCP_PARTIAL_MISS = Object is in cache, but retrieval from the origin server is in progress.

TCP_ERR_MISS = An error occurred while retrieving the object from the origin server.

TCP_TUNNELED = The CONNECT method was used to tunnel this request (generally proxied HTTPS).


It is possible that the Bluecoat device is misconfigured which is allowing connections like an open proxy.


If you are allowing incoming connections from the internet to the Bluecoat Public IP then you need to block it.


Please share your ASA config, which will help to analyse better.





somnath21 Sat, 07/26/2008 - 02:26
User Badges:

Plz find my ASA config..


plz help to resolve this issue.


Thanks,

som





dhananjoy chowdhury Sat, 07/26/2008 - 03:36
User Badges:
  • Silver, 250 points or more

Sorry , I missed your statement above " Bluecoat device is in transparent mode" so the possibility of the bluecoat device as open proxy is ruled out.


Now I am still thinking of how the request from a Public IP is reaching your bluecoat device.

Correct Answer
dhananjoy chowdhury Sun, 07/27/2008 - 00:41
User Badges:
  • Silver, 250 points or more

Hi, Can you try configuring the Web Access Layer rules as per below:


1 Allow only your inside IP subnets to Any Destination

2 Deny any(source) any(Destination)



somnath21 Sun, 07/27/2008 - 20:56
User Badges:

Hi,


Sorry for late reply!

Now I removed that device from network. Today night I will do the configuration and let you know.


Regards,

som

somnath21 Tue, 08/05/2008 - 03:51
User Badges:

Hi,


yes, I had done that one.

I had removed the entire policy configuartion and given permission any any.It was working fine.After that I have configured the visual policy freshly and it is working fine.


thanx a lot to u!!

Actions

This Discussion