ASA5520 itunes store download problems

Unanswered Question

Hi all,


Have been having some strange issues with our ASA5520 with CSC10 and managing director trying to download music from the itunes store to his ipod.


We have two ASA5520 at different locations, one with csc 10 module the other with a aip10


The unit with the ASA5520 with the aip10 module has a similar basic configuration with NAT, VPN etc nothing strange, the asa5520 csc10 again is straight forward configuration with NAT, VPN etc.


The ASA5520AIP10 has no issues with itunes downloads thru the firewall.


The asa5520csc10 has downloaded on the odd occasion, but has problems. Have tried everything from initially thinking it was a filtering option within the trend micro csc setup, but excluded the module which made no difference.


Then I noticed in the logs that there was some deny statements for the request to download for itunes, as follows;


6 Feb 03 2010 12:48:56 302013 81.23.243.136 80 192.168.250.2 2641 Built outbound TCP connection 5018 for OUTSIDE:81.23.243.136/80 (81.23.243.136/80) to INSIDE:192.168.250.2/2641 (xxx.xxx.xxx.xxx/6725)
6 Feb 03 2010 12:48:56 305011 192.168.250.2 2641 xxx.xxx.xxx.xxx 6725 Built dynamic TCP translation from INSIDE:192.168.250.2/2641 to OUTSIDE:xxx.xxx.xxx.xxx/6725
5 Feb 03 2010 12:48:56 304001     192.168.250.2 Accessed URL 81.23.243.136:/eu/r1000/047/Music/60/32/34/mzi.ywqawhpe.aac.a.m4p
6 Feb 03 2010 12:49:26 305012 192.168.250.2 2641 xxx.xxx.xxx.xxx 6725 Teardown dynamic TCP translation from INSIDE:192.168.250.2/2641 to OUTSIDE:xxx.xxx.xxx.xxx/6725 duration 0:00:30
6 Feb 03 2010 12:49:25 106015 81.23.243.136 80 xxx.xxx.xxx.xxx 6725 Deny TCP (no connection) from 81.23.243.136/80 to xxx.xxx.xxx.xxx/6725 flags ACK  on interface OUTSIDE
6 Feb 03 2010 12:49:25 302014 81.23.243.136 80 192.168.250.2 2641 Teardown TCP connection 5018 for OUTSIDE:81.23.243.136/80 to INSIDE:192.168.250.2/2641 duration 0:00:29 bytes 366 TCP Reset-I


It would appear from the logs that itunes attempts to build a connection back thru the firewall, but have also seen some deny statements from lots of different IP addresses related to itunes all at the same time.


Any ideas what I am missing, just thrown me a curve when have one asa firewall working fine with no special config, and one that does not cant get my head round it.


Regards Flymo

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Thu, 02/04/2010 - 09:13
User Badges:
  • Cisco Employee,

Do you have any other device on the inside like websense or other content scanning device? It appears with the Reset-I that the connection for reset from the higher security interface after which packets arriving from the internet website are being dropped for "Deny tcp no connection" message which perfectly makes sense.


-KS

Kureli Sankar Thu, 02/04/2010 - 09:41
User Badges:
  • Cisco Employee,

The resets are coming from the inside.

6 Feb 03 2010 12:49:25 302014 81.23.243.136 80 192.168.250.2 2641 Teardown TCP connection 5018 for OUTSIDE:81.23.243.136/80 to INSIDE:192.168.250.2/2641 duration 0:00:29 bytes 366 TCP Reset-I


Only captures on the inside interface or a wireshark capture on the client 192.168.250.2 will prove which mac address is sending the reset packets.


You have eliminated the CSC module correct? How did you do that? Did you remove the "CSC fail-open" line from the class?


-KS

Thanks again,


It appears that it is the csc module that is causing the problem, although did disable the various checking options individually, but had not removed the csc module completely from the process.


Now have removed the csc module and the itunes downloads work ok, so what could be causing the resets from the csc module?


Paul

Kureli Sankar Fri, 02/05/2010 - 06:57
User Badges:
  • Cisco Employee,

You are welcome. I figured that the CSC module may not have been eliminated completely.

Now as to why the CSC blocks it, you would have to browse to the page and then look in the Trend GUI logs section to see why it blocks it.


You can also refer this link:

http://reclassify.url.trendmicro.com/


and keyin the itunes link and see what it classifies and see if you are blocking that category in URL filtering section.


-KS

Hi sorry for the delay in reply. Thought we had a resolution to the issue by creating an access-list that prevents the scanning engine from scanning and ip address or range of addresses.


This has now stopped working and I guess this is because Apple and Itunes use a myriad of servers for their downloads.


The CSC has all url filtering options disabled, just basic scanning enabled.


The CSC Logs do not show anything relating to this, it is only the Main ASA logs that show up the issue as stated earlier.


If I disable the CSC module completely then have no problem in accessing Itunes.


This must be a Bug, or their must be a workaround other than IP addresses, because I cannot see how we can keep tracing IP addresses for apple's hosting providers.


Any thoughts as to why the CSC is doing this.


many thanks


Paul

Yes it appears that deferred scanning is the cause of the issue.


The problem became clearer after a complete reset and configuration of the ASA and CSC.


Prior to the reset, only certain downloads from apple itunes were being affected....... could download other files no problem...  very strange.


Had initially believed that because we had enabled the Plus Licence evaluation and tested its features, but then did not renew the plus licence and continued with the base licence that some hidden/old code in the trend micro csc may be causing the issue.


But after the reset to factory defaults of the csc module and the asa, a rebuild of the configuration with latest software/updates etc a new problem occured which led to the fix.


After the rebuild, downloads from ANY site above 10mb would time out, something that did not happen before, thus leading to the deferred scanning configuration.


I guess the fact that certain downloads work prior to the fix, this threw us a curve and led us away from believing that the deferred scanning (not enabled by default) would have any relation to the issue.

Actions

This Discussion