09-27-2008 03:24 AM - edited 03-09-2019 09:34 PM
Hi everyone,
I've just installed an ASA5510 running 7.1(2) with a CSC-SSM-10 module running 6.2.1599.0.
It all appears to work ok (ftp/smtp run ok), but when I ammend my policy-maps to redirect http traffic via the SSM module, web browsing becomes painfully slow, and this is with just myself using the network! If I take http out of my policy-map/access-list, then web browsing is normal speed.
Have any of you come accross this at all before?
Any advice appreciated!
Thanks,
-Gordon
09-29-2008 05:17 AM
Hi Gordon,
When users initially connect to the Internet through the CSC SSM, the CSC SSM contacts the Trend Micro web server using an HTTP request to determine the URL category for URL filtering and blocking. The CSC SSM scans this HTTP request again, which results in two HTTP connections for one initial request.
This additional scan is unnecessary. HTTP performance improves when you prevent CSC SSM packets from being scanned unnecessarily.
You can significantly improve HTTP performance through the CSC SSM by configuring the adaptive security appliance to skip the scanning of management traffic. To improve HTTP performance, perform the following steps:
1) Determine the management IP:
hostname# show module 1 details
Getting details from the Service Module, please wait...
ASA 5500 Series Security Services Module-10
------------Output Truncated--------------
Mgmt IP addr: 10.132.84.251 <<<<<<------- Management IP of CSC module
------------Output Truncated--------------
2) Exclude traffic from Management IP from being inspected by CSC module
Create class-maps which excludes management IP of CSC module from being inspected.
For Eg-
access-list csc-scan line 1 extended deny tcp host 10.132.84.251 any
access-list csc-scan line 2 extended permit tcp any any eq smtp
access-list csc-scan line 3 extended permit tcp any any eq pop3
access-list csc-scan line 4 extended permit tcp any any eq http
access-list csc-scan line 5 extended permit tcp any any eq ftp
class-map CSC-class
match access-list csc-scan
policy-map CSC-policy
class CSC-class
csc fail-open
service-policy CSC-policy global
############
Do rate helpful posts.
Regards,
Sushil
09-29-2008 06:00 AM
Hi,
Thanks for the feedback - I will give this a go when I get the chance.
Regards,
-Gordon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: