Have quite an annoying problem and have not had any joy getting any solution from the vendors involved, Apple, Trend Micro, etc.
Cisco ASA5520 with CSC10 Module. Base Licence. IOS and Updates All Up to date
Fairly Standard configuration NAT, VPN, Webmail, SMTP etc.
MD with Windows XP; wants to download from Apple Itunes to Ipod.
Unable to connect to Store and Timeout when trying to download from Itunes Store and Updates.
Logs from ASA as below;
No Logs from CSC Module relating to this problem.
302013 188.8.131.52 80 192.168.250.2 2641 Built outbound TCP connection 5018 for OUTSIDE:184.108.40.206/80 (220.127.116.11/80) to INSIDE:192.168.250.2/2641 (xxx.xxx.xxx.xxx/6725)
305011 192.168.250.2 2641 xxx.xxx.xxx.xxx 6725 Built dynamic TCP translation from INSIDE:192.168.250.2/2641 to OUTSIDE:xxx.xxx.xxx.xxx/6725
304001 192.168.250.2 Accessed URL 18.104.22.168:/eu/r1000/047/Music/60/32/34/mzi.ywqawhpe.aac.a.m4p
305012 192.168.250.2 2641 xxx.xxx.xxx.xxx 6725 Teardown dynamic TCP translation from INSIDE:192.168.250.2/2641 to OUTSIDE:xxx.xxx.xxx.xxx/6725 duration 0:00:30
106015 22.214.171.124 80 xxx.xxx.xxx.xxx 6725 Deny TCP (no connection) from 126.96.36.199/80 to xxx.xxx.xxx.xxx/6725 flags ACK on interface OUTSIDE
302014 188.8.131.52 80 192.168.250.2 2641 Teardown TCP connection 5018 for OUTSIDE:184.108.40.206/80 to INSIDE:192.168.250.2/2641 duration 0:00:29 bytes 366 TCP Reset-I
Tried on different network with ASA5520 and AIP10 no issues.
Identified that the issue is being caused by either the setup of the Trend Micro Scanning Engine or the CSC Module, as have tested by removing the CSC module, and by bypassing scanning, and then the Itunes downloads work without problem.
Found one solution which recommended using Access-Lists to bypass scanning by the CSC Module for specified IP Addresses, this worked temporarily but as you can guess APPLE use myriads of Servers to serve their content, so difficult to track and except all their IP addresses.
In my opinion there must be a bug or some issue with the scanning engine that is causing the TCP Reset-I
There are no URL or FILE Filtering/Blocking setup within the Trend Micro CSC scanning engine, just http scanning.
Any suggestions would be great.