Internet Explorer - ASA 5520

Unanswered Question
Mar 1st, 2009
User Badges:

Hi,


I have a trick case with a ASA 5520 and a intranet in Internet Explorer. There is a picture, flash and document manager and the trafic get blocked when using IE, but not in Firefox. The intranet is using port 80. Anyone else seen something like this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Sun, 03/01/2009 - 23:20
User Badges:
  • Red, 2250 points or more

Most probably the issue is not with the firewall (ASA) and the real issue lies in the browser settings.


Regards


Farrukh

Arild Amundsen Sun, 03/01/2009 - 23:29
User Badges:

Hi,


Thanks for your quick replay.

I tought so to but the intranet is funktion quite well outside the network ex. from my home net. And i get an Access Denied in the ASA logg on traffic to the intranet when i use IE inside my net, but strangely not in Firefox.

Farrukh Haroon Sun, 03/01/2009 - 23:46
User Badges:
  • Red, 2250 points or more

Please give more details about the topology, configuration/inspections enabled on the ASA.


Regards


Farrukh

Arild Amundsen Mon, 03/02/2009 - 00:04
User Badges:

Http inspection has default settings.


Her are the message i get in tha ASA logg when using IE.


Deny TCP (no connection) from x.x.x.x/2997 to x.x.x.x/80 flags ACK on interface Innside


Deny TCP (no connection) from x.x.x.x/2997 to x.x.x.x/80 flags FIN ACK on interface Innside


Teardown TCP connection 197682186 for Internett:x.x.x.x/80 to Innside:x.x.x.x/2997 duration 0:00:28 bytes 304213 Flow closed by inspection


Access denied URL SRC x.x.x.x DEST x.x.x.x on interface Innside


This is regular http traffic and it is working in Firefox from the same pc and settings.

Farrukh Haroon Mon, 03/02/2009 - 00:22
User Badges:
  • Red, 2250 points or more

The logs seem to come from the Internet and not the Intranet?


Regards


Farrukh

Arild Amundsen Mon, 03/02/2009 - 00:35
User Badges:

This message comes from the webserver hosting the intranet.


Teardown TCP connection 197682186 for Internett:x.x.x.x/80 to Innside:x.x.x.x/2997 duration 0:00:28 bytes 304213 Flow closed by inspection


I can't understand why inspection is closing the connection when IE is used, but works in FF. Maybe it is something in the way browser handlling the site and is there anything we can set in ASA to prevent/allow this?

Farrukh Haroon Mon, 03/02/2009 - 01:07
User Badges:
  • Red, 2250 points or more

I'm still not clear with your topology.

On which zone is your web server? "Internett" zone? From where are you testing ? LAN = "Innside"?


Which version of ASA are you running?


What do you have under IE:


IE >> Tools >> Advanced >> HTTP 1.1 Settings


Regards


farrukh

Arild Amundsen Mon, 03/02/2009 - 01:27
User Badges:

The webserver are not in "my net". We are delivering applications via Citrix to our users. I am testing this from my inside, with the same setting the users have.

So the traffic are like this:

Terminal Server -> ASA -> Internet -> Webserver


ASA version: ASA 5520 with image asa721-k8

And we are using http 1.1 settings

Farrukh Haroon Mon, 03/02/2009 - 01:52
User Badges:
  • Red, 2250 points or more

Can you try permitting this 'return' traffic or disabling the HTTP inspection to test this out?

Arild Amundsen Mon, 03/02/2009 - 04:38
User Badges:

Hi again,


I am not very experienced with ASA, so how would turning of http inspection affect the rest of the traffic?

Arild Amundsen Tue, 03/03/2009 - 05:24
User Badges:

Hi,


Have tried the suggested solutions, but still same errors in the asa log. I have tried with a new asa 5505 with default settings and there it is working, the only differens is that it is a newer image on the 5505 (7.2(2))


Best Regards

Farrukh Haroon Tue, 03/03/2009 - 05:31
User Badges:
  • Red, 2250 points or more

Can you post the output of the following command from both boxes:


show run all policy-map

show run service-policy


Then on the troublesome box,


clear asp drop

immediately test the problematic server connection via IE, then paste output of

show asp drop


Regards

Farrukh


Farrukh Haroon Tue, 03/03/2009 - 21:50
User Badges:
  • Red, 2250 points or more

Please add the following command on the 5520 box:



policy-map global_policy

class inspection_default

inspect http


Also can you do the clear asp drop and show asp drop a little quicker? :). It seems a lot of other traffic also came about (I know this might not be possible on a busy production box).


Regards


Farrukh

Arild Amundsen Tue, 03/03/2009 - 23:03
User Badges:

Hi,


I have tried to add inspect http, but with the same result. I will try to do a clear asp drop on nighttime, with less traffic:-)


regards

Farrukh Haroon Sat, 03/07/2009 - 05:45
User Badges:
  • Red, 2250 points or more

Any updates on this issue? I would capture both IE/Firefox traffic using a packet sniffer and compare the two. You can also use the capture command on the ASA with the asp-drop keyword


Regards


Farrukh

Arild Amundsen Mon, 03/09/2009 - 00:42
User Badges:

Hi,


I have not found the time for testing, but it seems like FF is requesting on port 3840 and IE on port 3807. But lately we have had some websites turning up "white" with the status line showing "Done". Wondering if this is the same issue.


Regards

Farrukh Haroon Mon, 03/09/2009 - 00:33
User Badges:
  • Red, 2250 points or more

The port number should not make a difference


Regards


Farrukh

Arild Amundsen Mon, 03/09/2009 - 00:55
User Badges:

Hi again,


No, i know, but it is the only difference i see. Another possibilty is the way the browser acctually "reads" the different webpages.

Farrukh Haroon Mon, 03/09/2009 - 02:10
User Badges:
  • Red, 2250 points or more

Did you try permitting the traffic in both directions? (assuming the firewall to be a stateless pakcet filter e.g. ACL)


Regards


Farrukh

Arild Amundsen Mon, 03/09/2009 - 02:34
User Badges:

Hi,


Yes, i tried that, we see on another websites that turns up "white" that the ASA logs an Acess Denied with Flow Closed By Inspection message the first time, when they press F5 the webpages come up the way they should. Strange. It seems that something in this traffic from IE is not the way it should be. Also, Wireshark logs Bad Checksum on this traffic. FF is working from the same computer to the same site seconds after.


Regards

Farrukh Haroon Mon, 03/09/2009 - 03:39
User Badges:
  • Red, 2250 points or more

Double check for any MTU/speed/duplex issues. Specially on the server's interface connected to the switch.


Regards


Farrukh

Arild Amundsen Mon, 03/09/2009 - 04:02
User Badges:

Hi,


Found a solution, If i enable a expect rule in filter properties that say to truncate url for the spesific web server it works in both browsers. But, can you tell me the issues about truncat long urls?


Regards

Arild Amundsen Mon, 03/09/2009 - 23:36
User Badges:

Hi,


We are using a filterign server. Serveral of my cases with IE browsing trouble was solved when i made an exception for the trouble webservers (pages).


But, what is the security issues with url-truncate?


Thank you very much for your help so far.


Regards

Farrukh Haroon Mon, 03/09/2009 - 23:47
User Badges:
  • Red, 2250 points or more

As I said earlier, I doubt the URL-truncation is causing the problem. The longurl-deny argument is the one really used to control the security (because some very long URLs can embed scripts etc.)


"The longurl-truncate option causes the security appliance to send only the host name or IP address portion of the URL for evaluation to the filtering server when the URL is longer than the maximum length permitted."

Arild Amundsen Mon, 03/09/2009 - 23:57
User Badges:

Hi again,


Yes, i know that, but wy is the sites working when i make the exception to the spesific web server?


This forum link describe the problem, only that i do not have a standby unit.


http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40%40.1ddfd1f0/0#selected_message

Farrukh Haroon Tue, 03/10/2009 - 00:04
User Badges:
  • Red, 2250 points or more

It could be due to the filtering software not being able to understand the long URL and therefore not makring the right policy decision.


The standby difference does not matter, and your problem should be exactly the same.


Regards


Farrukh

Actions

This Discussion