Long URL not allowed by ASA

Unanswered Question
Feb 4th, 2010

Hi All,

I am trying to download a file, but I get redirected to a very long URL and I'm wondering if this could be the reason why the ASA is dropping the connection.

If I try to download the file without going through the ASA, it works fine.

The problem is that the url is an https connection, and I don't seem to get an error when I do a Packet Tracer the connection goes fine, but I cannot test the Packet Tracer connection up to the final URL. Same happens with the ASP drop, I don't see the message that tells me why the connection is being blocked.

There is so much traffic that I cannot filter the logs to see what's going on.

I tried a capture but since its HTTPS I don't see any reason.

My question is:

Is it possible that since the URL is too big, the ASA might be blocking it?

I've tried incrementing the size of the DNS replies and the body of the HTTP inspection and that did not help.

Please let me know your comments or suggestions.

Thank you,

Federico.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Kureli Sankar Thu, 02/04/2010 - 10:20

Refer this link below:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008088517b.shtml

Enable Filtering of Long URLs

By default, the security appliance considers an HTTP URL to be a long       URL if it is greater than 1159 characters. You can increase the maximum length       allowed for a single URL with this command:

hostname(config)#url-block url-size long-url-size

Replace long-url-size with the maximum       size in KB for each long URL to be buffered.

For example, these commands configure the security appliance for       advanced URL filtering:

hostname(config)#url-block block 10
hostname(config)#url-block url-mempool 2
hostname(config)#url-cache dst 100
hostname(config)#url-block url-size 2


-KS

Federico Coto F... Thu, 02/04/2010 - 10:25

Thank you, but this option is only when you have an URL server.

ASA(config)# url-block url-size 4
No url servers found!  Use "url-server" first.

We are not using an URL Server like Websense, its just an HTTPS connection going from the inside to the outside of the ASA.    

Any suggestions?

Thank you!

Federico.

Kureli Sankar Thu, 02/04/2010 - 10:44

The symptom was so clearly an URL-filtering issue that I assumed you had websense configured

Anyway, back to the issue. Can't say much without captures on the client or ingress egress captures on the ASA for this particular flow.

It may be a good idea to reduce the MTU on the outside interface and see if you can load this page.

-KS

Federico Coto F... Thu, 02/04/2010 - 13:54

Hi KS,

Totally agree with you, but in the meantime while I figure out how to get the right logs or captures, do you know if the fact of sending a very long URL could be stopped by the ASA?

I mean by the inspection http?

I will try to get the errors, but I'm wondering if part of the implicit http inspection of the ASA drops URLs that are too long?

Thank you.

Federico.

Kureli Sankar Thu, 02/04/2010 - 14:32

You mentioned this is htts. right? inspection wouldn't be able to read within the packet. Inspection would only watch port 80 and not 443.

-KS

Federico Coto F... Fri, 02/05/2010 - 10:15

Hi KS,

This is what I did:

Host: 172.16.10.34 (host attempting the https connection)

Host: 201.198.233.90 (translated IP for the inside host)

Server: 192.150.14.76 (Server hosting the URL)

The host resides on the inside interface and exist the ASA through the SHDSL interface

#######################################################################

access-list https_out permit ip host 172.16.10.34 host 192.150.14.76
access-list https_out permit ip host 192.150.14.76 host 172.16.10.34
capture https_out access-list https_out packet-length 1512 interface inside

access-list https_in permit ip host 201.198.233.90 host 192.150.14.76
access-list https_in permit ip host 192.150.14.76 host 201.198.233.90
capture https_in access-list https_in packet-length 1512 interface SHDSL

#######################################################################

Then, I got the pcap files (attached to the threat).

These captures I got them while host 172.16.10.34 was trying the https connection that fails through the ASA.

pcap1 = Capture on the inside interface

pcap2 = Capture on the SHDSL (outside) interface

Please let me know.

Sincerely,

Federico.

Attachment: 
Kureli Sankar Fri, 02/05/2010 - 10:56

Ok I looked at two flows.

It appears that the inside host is looking for data from the server and waits for 60 seconds. Since it didn't hear from the server the inside client sends a reset which is relayed to the host on the outside.

The captures looks exactly the same on the outside

I am not sure why there is no data from the outside host for that long.

Try to loginto other https sites like a banking site and see if https works through this firewall and only this particular site has the issue.

-KS

Federico Coto F... Fri, 02/05/2010 - 11:39

Hi KS,

Every other https site through the ASA seemed to work fine.

I am attaching both captures on a particular working https connection.

pcap3 = inside interface

pcap4 = SHDSL interface

So, I don't understand why the first https site does not work through the ASA since it works fine without going through the ASA!

Please let me know.

Regards,

Federico

Attachment: 
Kureli Sankar Fri, 02/05/2010 - 12:02

Do you have the config from the old ASA?

sh run sysopt

compare that output from the old to the new.

Seems like this is adobe site.

If you put a PC on the outside of this ASA and it loads fine you say. If so can you try to translate the IP address of this one PC to the IP address that you used outside of the ASA (static nat) and see if that would work?

Did you have anyconnect configured on the old ASA? This ASA does.

-KS

Federico Coto F... Fri, 02/05/2010 - 12:19

Hi KS,

There's nothing on the output of the command on the ASA:

ASA(config)# sh run sysopt
ASA(config)#

There are many internal machines that should be able to access this site, so I can't statically NAT them all.

I understand that I can do a STATIC NAT for the inside machine to the outside IP of the ASA to see if it works this way. My concern is that I have many VPN tunnels terminating on the ASA.

Is this going to stop the VPN traffic from working if I do a one-to-one STATIC NAT?

What do you suggest?

Thank you.

Federico.

Kureli Sankar Fri, 02/05/2010 - 12:30

Pls. do not do static nat for the inside host to the outside interface IP.

You should not do this. This will break traffic.

What I said was translate the IP address of this inside host to SOME OTHER IP address besides the one that it is using now just for testing purpose to see if it works since you are running anyconnect on the same IP address. Let me know the result.

If it works then we can translate all the inside hosts to look like this working address (a new nat/global). You have availalbe IP addresses right? You used one of those to test with a PC on the outside of the firewall right? Use that IP.

-KS

Federico Coto F... Fri, 02/05/2010 - 13:00

Thank you KS,

I know this question is not related to the problem, but I'm trying to fix it....

Everybody gets PATed to the IP address of the interface on the ASA, like this:

nat (inside) 1 access-list NAT
access-list NAT permit ip 172.16.10.0 255.255.255.0 any
global (SHDSL) 1 interface

So, I did the following commands to let my PC (172.16.10.34) get translated to an available IP, like this:

nat (inside) 5 access-list NAT123
access-list NAT123 permit ip host 172.16.10.34 any
global (SHDSL) 5 201.198.233.91

But even though I clear the xlates, connections and local-hots, I still get out using the IP 201.198.233.90 (which is the ASA's interface IP).

So, it seems to me, that even by adding the NAT rule to translate my own IP to a different one, it continues to translate to the ASA's interface IP. \

I though that since the ACL NAT123 is more specific than the ACL NAT, it will take precedence, but it does not. Is this because the first NAT has an ID of 1 and the one that I added has an ID of 5???   Is because I don't want to change the NAT 1 statement for everybody....

Thank you,

Federico.

Kureli Sankar Fri, 02/05/2010 - 13:07

Policy nat - first one matches your soruce, it will take that.

Pls. make this change

nat (inside) 5 172.16.10.34
global (SHDSL) 5 201.198.233.91

clear local 172.16.10.34

sh xlate debug | i 172.16.10.34

and it will take the new ip.

-KS

Federico Coto F... Fri, 02/05/2010 - 13:52

Look at the results:

ASA(config)# sh run nat

nat (inside) 1 access-list NAT
nat (inside) 5 172.16.10.34 255.255.255.255
ASA5510-FuSioNet(config)# sh run glob
global (SHDSL) 1 interface
global (SHDSL) 5 201.198.233.91
ASA(config)# sh access-l NAT
access-list NAT; 5 elements
access-list NAT line 1 extended permit ip 172.16.10.0 255.255.255.0 any (hitcnt=0) 0xf77313a8
ASA(config)# sh xlate local 172.16.10.34
146 in use, 746 most used
PAT Global 201.198.233.90(49408) Local 172.16.10.34(5023)
PAT Global 201.198.233.90(63289) Local 172.16.10.34(5051)
PAT Global 201.198.233.90(34280) Local 172.16.10.34 ICMP id 1
ASA(config)# clear local 172.16.10.34
ASA(config)# sh xlate local 172.16.10.34
124 in use, 746 most used
PAT Global 201.198.233.90(48129) Local 172.16.10.34 ICMP id 1
ASA(config)#

The Policy NAT takes precedence over regular NAT (even if it is more specific).

I'm still getting out with the ASA's IP address.

I did a static NAT with the .91 address, and I do get translated to .91

static (inside,SHDSL) 201.198.233.91 172.16.10.34

Now, I'm getting translated to .91 but I attempt to get to the URL and I get the same problem. So it is not a problem with the IP, what could it be?

Thanks,

Federico.

Kureli Sankar Fri, 02/05/2010 - 15:47
NAT order of operation

    1) nat 0 access-list (nat-exempt)
    2) match against existing xlates
    3) static
       a) static nat with and without access-list (first match)
       b) static pat with and without access-list (first match)
    4) nat
       a) nat access-list (first match)
       Note: nat 0 access-list is not part of this command.
       b) nat (best match)
       Note:  When choosing a global address from multiple pools with
      

So, this explains why policy nat took precedence.

Now, all I can say is looking at captures your inside host doesn't hear back from the outside host for more than 60
seconds and so sends a reset.

You are probably seeing Reset-I in the syslogs indicating a reset coming from the higher security interface? correct?

Have you tried to reduce the MTU on the outside interface to see if you have any success?
What code was the old ASA running and what code is the new ASA running.
Old ASA was also using the same IP scheme?
It surely appears pretty interesting.

-KS
Federico Coto F... Mon, 02/08/2010 - 07:36

Hi KS,

I have a question. If I reduce the MTU on the outside interface will that drop all the connections?

ASA(config-if)# int e 0/0
ASA(config-if)# mtu outside ?

configure mode commands/options:
  <64-65535>  MTU bytes

I have a weird situation because this is what I did:

I came to my office where I also have an ASA 5510 running asa804-k8.bin and the same exact thing happens.

I mean, if I remove the ASA, I am able to download the file from the HTTPS site. If I put the ASA back in place, I get the same error.

So, there's definitely something in the ASA dropping this connection (and not on a single ASA, but on every ASA)....

If you can try it yourself... I want to give you the steps so that you can attempt to download this file either through the ASA and bypassing the ASA.

Can you do it if I give you the steps?

I just don't want to share them with you here, because are secure credentials? How do I share them with you?

Thank you!

Federico.

Kureli Sankar Mon, 02/08/2010 - 07:44

No it will not drop all connections. It will start sending more - small size packets that is all.

Give that a shot. MTU outside 1400 (start at that) or you can do

sysopt connection tcpmss 1300

Do you have smartnet? If so, it will be easier to open a TAC case quickly online.

Let me know the case number.

-KS

Federico Coto F... Mon, 02/08/2010 - 08:44

Hi KS,

I identified the problem.

This is part of my configuration on the ASA:

#################################################################

regex blockex1 "/onthefarm"
regex blockex2 "apps\.facebook\.com"

class-map inspection_default
match default-inspection-traffic


class-map type inspect http match-all block-url-class
match request uri regex blockex1
match request header host regex blockex2

policy-map type inspect http block-url-policy
parameters
class block-url-class
  drop-connection log


policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect icmp
  inspect pptp
  inspect sip 
  inspect http block-url-policy

service-policy global_policy global

#################################################################

I have the above configuration because of a requirement to block the ''Farmville'' game on Facebook and it works great.

If I remove the http inspection:

ASA(config)# policy-map global_policy
ASA(config-pmap)# class inspection_default
ASA(config-pmap-c)# no inspect http block-url-policy

Then, I am able now to download the file through the ASA.

But, now everybody is able to access the ''Farmville'' game again....

So, how do I block the game and still allow access to the site?  Or a better question will be.... how do I find out why the connection to this specific HTTPS site (then converted to HTTP somehow), is being denied by the ASAs?

Also, everytime that I attempt to access the HTTPS site giving me problems, the violation on the HTTP inspection increments:

ASA(config)# sh service-policy inspect http

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: http block-url-policy, packet 248276, drop 23, reset-drop 2
        protocol violations
          packet 11
        class block-url-class
          drop-connection log, packet 0

How do I determine the reason why the ASA is dropping packets to this site????

Thank you!

Federico.

Kureli Sankar Mon, 02/08/2010 - 09:56

Nice find. I did notice the http inside the https in the capture.

You can remove http inspection from the class default and then add a separate class and use an acl to match all http traffic but just above the permit add a deny to deny the flow to this one particular website. I think that should do it so, you get to block this farmville game on FB.

-KS

Federico Coto F... Mon, 02/08/2010 - 10:34

Thank you KS, but I need some help in doing that...

For example, this is the configuration that I currently have to block the farmville game:

#############################################################

regex blockex1 "/onthefarm"
regex blockex2 "apps\.facebook\.com"

class-map inspection_default
match default-inspection-traffic

class-map type inspect http match-all block-url-class
match request uri regex blockex1
match request header host regex blockex2

policy-map type inspect http block-url-policy
parameters
class block-url-class
  drop-connection log

policy-map global_policy
class inspection_default
  inspect http block-url-policy

service-policy global_policy global

#############################################################

So, I want to add the rule to NOT inspect http traffic to this site:    https://licensing.adobe.com

This site resolves to IP 192.150.14.76

So, would the configuration that I should add look like this??

#############################################################

regex allow1 ".*adobe.*"

access-list user-acl extended deny tcp any host 192.150.14.76 eq www
access-list user-acl extended permit tcp any any eq www

class-map type inspect http match-all Allow-Sites
match access-list user-acl
match request header host regex allow1

#############################################################

How do I bind this new class to the global service policy?

service-policy global_policy global

My goal (as you mentioned), is to inspect http to all sites (except 192.150.14.76), while still having the rule for blocking the farmville game.

Thank you!!

Kureli Sankar Mon, 02/08/2010 - 11:01

conf t

policy-map global_policy
class inspection_default
no inspect http block-url-policy ----remove from default

exit

conf t

access-list allow-http extended deny tcp any host 192.150.14.76 eq www
access-list allow-http extended permit tcp any any

class-map ins-http
match access-list allow-http

policy-map global_policy

  class ins-http
   inspect http block-url-policy  ----re-add under a diff. class

-KS

Federico Coto F... Mon, 02/08/2010 - 12:08

Hi KS,

Thank you.

I did it but the problem persisted, but is the correct solution.

It is because the final destination (where the file is being downloadable) is not the same IP as the original destination in the HTTP request (192.150.14.76).

I am going to have to find out that IP and do it like that then....

This would be the only way to accomplish this correct?

Thank you again,

Federico.

Kureli Sankar Mon, 02/08/2010 - 12:13

That would be correct.

You could also use this command to see if this flow will be inspected by http. You can also make that deny acl as ip instead of tcp and specifying the port 80.

sh service-policy flow tcp host x.x.x.x host 192.150.14.76 eq 80

-KS

Federico Coto F... Wed, 02/10/2010 - 09:34

Hi KS,

I want to thank you because your suggestions are very helpful. I've found the final IP address for the download, apply it to the ACL and it worked fine (no HTTP inspection to that IP).

I have another question though.

We have seen many sites now that are having problem through the ASA with the HTTP inspection enabled. All the sites work perfectly when disabling the HTTP inspection.

So my question is.... could it be that those HTTP sites are not compliant with the RFC for HTTP and therefore being dropped by the ASA? But so many sites???  Seems weird to me....  How do I find out why a particular HTTP flow is being dropped by the ASA when it is being inspected?

Thank you very much again!

Federico.

Kureli Sankar Wed, 02/10/2010 - 18:28

Read this thread pls. We have discussed various issues that can cause website load failures.

https://supportforums.cisco.com/message/3015828#3015828

As for where to find that packets are dropped due to RFC voilation and inspection fail; it will be in the syslogs. Make sure to enable debug level and look through the logs when the site fails to load.

-KS

Federico Coto F... Thu, 02/11/2010 - 06:09

Thank you KS, I will check the syslogs to see if I can find the reason why these sites are

being blocked by the http inspection.

I've gone through the threat you mentioned as well....

It will be a lot easier for me, if there's a way to enable/disable the http inspection just for some particular http sites on the ASA.

As far as I've seen, the only way to accomplish this is with an ACL (therefore having to put an IP address, instead of the URL, not really resolving much)

Thank you,

Federico.

Erik Ingeberg Thu, 02/11/2010 - 13:22

This is an interesting thread, and I would like to add some comments.

You say you want to allow traffic from https://licensing.adobe.com. In your config, you have a "match-all" class map that matches both the "request header host" field ("apps\.facebook\.com") and the "request uri" ("/onthefarm").

This means that trafikk will only be dropped when both these fields are matched. Since the request header host field when "licensing.adobe.com" does not match the regex "apps\.facebook\.com", and the needed URI is not there, this traffic should not be dropped due to http inspection. It would not match the requirements of the class map. My point is that there is no need to excempt an IP from this rule, since you already specified that it only applies to apps.facebook.com, AND with an URI of /onthefarm.

As for the RFC violation, I couldn't see the command in the config you posted, but perhaps it has been added later? The command that could be dropping your traffic is:

policy-map type inspect http block-url-policy
parameters
  protocol-violation action drop-connection log

Check your config to see if it's there, also the "log" keyword at the end is optional. If you're missing it you won't see why this traffic is being dropped in the logs.

I'm not a big fan of the protocol-violation command, I just realised that even this support forum won't let me log in if I have the protocol-violation dropping turned on...

Federico Coto F... Thu, 02/11/2010 - 13:33

Thank you for your comments!

I want to ask you something....

Is there a way to turn the HTTP inspection on on the ASA and exempt some sites from the inspection?

I know that I can define an ACL to avoid HTTP inspection from that ACL, but on an ACL I can only specify IP addresses (not domains)

For example, if my goal would be to inspect HTTP through the ASA with the HTTP inspection but avoid inspecting a number of domains, sites, etc...

The only way is with an ACL applied to the inspection?

Thank you!!

Federico.

Erik Ingeberg Fri, 02/12/2010 - 00:39

Yes, the only way to turn off inspection completely for certain sites is to define what to avoid with ACL's, so you wouldn't be able to use domain names in that scenario.

You could match the host field in the request header for a particular site that you do not want to inspect (using HTTP inspection) and then have no action as a result of the inspection. This class-map should be at the top of your global policy. Then you can add a second class map (or use inspection default) with the required inspection for the rest of the HTTP traffic.

Actions

This Discussion