503 Service Unavailable through CSC-SSM

Unanswered Question
Sep 10th, 2010

Im stumped! we have one website that we use ALL the time. Sometimes it works sometimes it doesnt.

www.cutr.usf.edu its a good URL it works on any other device not behind the ASA.

When we navigate to it, it displays 503 service unavailable  Unable to connect to 131.247.19.33.

i can see it building and tearing down the connection. TCP FINs looks normal but this is what we get. It may work fine for a while then not. last time i started putting www in front of the url and now nothing works.  Any ideas?

error.PNG

6Sep 10 201014:34:27302014131.247.19.3380192.168.1.365129Teardown TCP connection 11045881 for WAN:131.247.19.33/80 to LAN:192.168.1.36/5129 duration 0:00:00 bytes 277 TCP FINs

6Sep 10 201014:34:27302013131.247.19.3380192.168.1.365129Built outbound TCP connection 11045881 for WAN:131.247.19.33/80 (131.247.19.33/80) to LAN:192.168.1.36/5129 (74.203.134.30/4520)

6Sep 10 201014:34:27305011192.168.1.36512974.203.134.304520Built dynamic TCP translation from LAN:192.168.1.36/5129 to WAN:74.203.134.30/4520

6Sep 10 201014:34:24302014131.247.19.3380192.168.1.365127Teardown TCP connection 11045875 for WAN:131.247.19.33/80 to LAN:192.168.1.36/5127 duration 0:00:00 bytes 277 TCP FINs

6Sep 10 201014:34:24302013131.247.19.3380192.168.1.365127Built outbound TCP connection 11045875 for WAN:131.247.19.33/80 (131.247.19.33/80) to LAN:192.168.1.36/5127 (74.203.134.30/51059)

6Sep 10 201014:34:24305011192.168.1.36512774.203.134.3051059Built dynamic TCP translation from LAN:192.168.1.36/5127 to WAN:74.203.134.30/51059

Trend Micro InterScan for Cisco CSC SSM 6.3.1172.3

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)
Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 53 days 2 hours
Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   :  CN1000-MC-BOOT-2.00
                             SSL/IKE microcode:  CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  :  CNlite-MC-IPSECm-MAIN-2.04

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mirober2 Fri, 09/10/2010 - 12:01

Hi Robert,

What version of CSC software are you running. I would suggest an upgrade to 6.3.1172.3 to make sure you have all of the latest bug fixes.

Hope that helps.

-Mike

robert.mehrer Fri, 09/10/2010 - 12:03

Trend Micro InterScan for Cisco CSC SSM 6.3.1172.3

its below the Log output all the versions i have of what device.

Kureli Sankar Fri, 09/10/2010 - 19:17

Try to change the DNS server IPs that the CSC is using to something like 4.2.2.2 and see if that helps.

-KS

robert.mehrer Mon, 12/13/2010 - 07:32

Couple of things i did to stop mine from doing it. well not as often.

Make sure the site your browsing to has a WWW in front of it.

Make Sure the IP of the Module is set in an exclusion zone on you DHCP server so its not handed out. ( i had some cell phones snagging the ip killing the connection to it)

check your DNS servers and add additional forwarders if available.

dhammink47 Thu, 12/16/2010 - 05:24

Hi,

I tried everything (ip was already in exclusion zone, DNS has a couple of forwarders) and it still occasionally occurs. Overall I find the CSC-SSM slow, A site (www.trackdog.de) that normally loads within 300ms is taking 4 seconds with only URL filtering on . If I turn on Web Reputation it might take up to 8 seconds . Scanning does not make it better either ...

This is not acceptable, what can be done ?

And the classifications are sometime totally off topic (shop sites with  decent home and garden stuff as pornographic is ridiculous )

Kind regards

David

robert.mehrer Thu, 12/16/2010 - 07:48

mine still does the same, and i found Cisco support to be lacking unless you pay assloads for service... When you already pay assloads for the equipment they should throw some support in with it.

Panos Kampanakis Thu, 12/16/2010 - 14:44

mine still does the same, and i found Cisco support to be lacking unless you pay assloads for service... When you already pay assloads for the equipment they should throw some support in with it.

I am not sure what you mean by "Cisco support". If you have a support contract we should be able to work on the problem and fix it if it is due to faulty behavior. Did you actually open a case for the CSC module?

I would suggest capturing packets for a "slow page" or one that doesn't come up. I would try to see if it is introduced due to slow response from the Trend servers or if it related to something else.

PK

Panos Kampanakis Thu, 12/16/2010 - 14:40

Hi,

I tried everything (ip was already in exclusion zone, DNS has a couple of forwarders) and it still occasionally occurs. Overall I find the CSC-SSM slow, A site (www.trackdog.de) that normally loads within 300ms is taking 4 seconds with only URL filtering on . If I turn on Web Reputation it might take up to 8 seconds . Scanning does not make it better either ...

This is not acceptable, what can be done ?

And the classifications are sometime totally off topic (shop sites with  decent home and garden stuff as pornographic is ridiculous )

Kind regards

David

David,

Keep in mind that with reputation or url filtering services enabled, for every HTTP GET that you make (each page has many) the module needs to go to the server and ask if it is legit or not. So, if your network is slow or oversubscribed, or if you have a lot of traffic going through, then adding a 0.5s of delay for every GET could add up to some delay for the page itself. I haven't looked into the issue itself, it could be related to the CSC being slow itself (make sure your version is up to date and you are not doing Debug level logs on it), but it is something to keep in mind.

As for the classifications, if that is happening it needs to be fixed. Give us examples of pages that are blocked and should not. http://reclassify.url.trendmicro.com/submit-files/onlinequery.asp will give you what the pages are classified as.

PK

dhammink47 Thu, 12/16/2010 - 23:38

Hi,

Ok that explains what I see in firebug (see pictures). Lots of DNS waits which are not DNS waits but waits for the CSC server.

Pretty dumb it does not cache the websites URL and only do one server check if it is ok for that page we do not check again ...

Our network is not oversubscribed (we have a 34MB connection, bandwidth usage under 2% at the moment at peaktimes ..). I can make the picture attached at any moment (also at 12 AM , and I can asure you there is no one in the office ...)

That CSC server is pretty lame if you ask me.

It sound to me we have bought the wrong product.

As for reclassify: I have posted a couple of websites, but the ones a reclassified are so obvious not Adult that I do wonder who decides what is what. Or are you just counting reclasifications from users (read competitors that want them to be porn) without checking the website ?

Kind regards

David

Panos Kampanakis Fri, 12/17/2010 - 05:32

Hi,

Ok that explains what I see in firebug (see pictures). Lots of DNS waits which are not DNS waits but waits for the CSC server.

Pretty dumb it does not cache the websites URL and only do one server check if it is ok for that page we do not check again ...

Our network is not oversubscribed (we have a 34MB connection, bandwidth usage under 2% at the moment at peaktimes ..). I can make the picture attached at any moment (also at 12 AM , and I can asure you there is no one in the office ...)

That CSC server is pretty lame if you ask me.

It sound to me we have bought the wrong product.

As for reclassify: I have posted a couple of websites, but the ones a reclassified are so obvious not Adult that I do wonder who decides what is what. Or are you just counting reclasifications from users (read competitors that want them to be ****) without checking the website ?

Kind regards

David

Please try to capture a slow page on your module. I see some delays that are more than 1-2s, and these seem a little odd. Maybe it takes time to the server to respond. Where are you located really, sometimes the path to the Trend server can add time. Capture traffic on the ASA using the capture command on the inside and outside interface. See if the module takes time to do the dns lookup before he checks the "page being legit or not" or if it takes time for it to hear back. It is normal to have some delay, but not a more than 2-3-4s of delay per page for most people.

Also check at what level you are logging. Also note that 6.3.1172.4 has introduced http enhancements that speed browsing. So if you are running 6.2.xxx it is worth trying 6.3. The RAM the module is not big enough, that is why it cannot cache many websites.

As for classification, it is done by Trend. It is not based on user classification . The feedback form just sets a flag for them to check the website. There are many heuristics that go into the equation including acticity and traffic seen from the url, reports from various sources, IDS, attacks deployed coming from the website, checks of the website content itself etc. It is more or less what all vendors in the field.

Now, as for it being the right product or not, experience has shown that is suits more small and medium size customers. That is a general statement, but for what the product can do, most users have it working fine. Of course, since its development there have been other newer solutions that have come out also (like Ironport) that could potentially be leveraged to provide this functionality in other efficient ways.

I would be curious if your CSC is acting up, or if it just behaving as expected and I would check captures as suggested in my first paragraph.

Rgs,

PK

Kureli Sankar Fri, 12/17/2010 - 05:38

David,

Would you be willing to open a case with TAC? It would be better in this case as we would have to gather captures and analyze where the delay is and where the CSC is located physically and where the DNS server is located physically and its path out to the internet.

Once you open a TAC case pls. let us know the case number, we can make sure it progresses well on our side.

-KS

dhammink47 Wed, 01/05/2011 - 05:47

Hi,

Took me a while to open the TAC case (needed to do that via my normal Cisco support channel)

I have opened a TAC case

SR: 616454465

SUMMARY: Slow webtraffic with activated Plus License features

SEVERITY: 3

STATUS: Cisco Pending

Case owned by Sachin Vaish

Maybewe find something

robert.mehrer Fri, 12/17/2010 - 06:41

im running the latest firmware on the CSC module. I usually dont have an issue with sites. If they do pop up as service unavilable a refresh will clear the

issue due to high traffic and low bandwidth. We only have a Bonded T1 for VoIP and Internet. 1.25mbps is slow by comparison with the amount of traffic we pump through it.

All that being said im having issues with one site in specific. www.cutr.usf.edu  Now at home it works great, cellualr it works great through the ASA it never comes up. It just says service unavilable cannot contact ip ***.***.***.***  . This isnt normal operation. How would i track the lookup (get) of the page? Or how delayed it is? Im not aware of tools for the ASA that can assist in this type of thing. We are not running debug logs either.

Product version:Trend Micro InterScan for Cisco CSC SSM 6.3.1172.4

i even added the cutr website to all the exception lists for scanning. Still nothing.

as far as service. I dont have a contract on this particular ASA so you cant even open a ticket on it. We are a governmental body that has limited funds for service and support. When youre paying over $10K for an appliance its a little hard to chew on a couple extra thousand for support contracts.

dhammink47 Wed, 01/05/2011 - 06:19

Hi Robert,

this website seems to have a problem with it's DNS. I just did a wget on a  linux box:

wget  http://www.cutr.usf.edu/
Resolving www.cutr.usf.edu... 131.247.19.8, 131.247.19.9, 131.247.19.33, ...
Connecting to www.cutr.usf.edu|131.247.19.8|:80... failed: Connection refused.
Connecting to www.cutr.usf.edu|131.247.19.9|:80... failed: Connection refused.
Connecting to www.cutr.usf.edu|131.247.19.33|:80... failed: Connection refused.
Connecting to www.cutr.usf.edu|70.85.180.226|:80... connected.
HTTP request sent, awaiting response... 200 OK

After 4 times it connects. Should not produce a 503 error with ASA CSS however

robert.mehrer Wed, 01/05/2011 - 07:42

Ive done the same from behind the ASA and this is what i get. When i try to browse the IP that states connected i get the 503 error just like i do on all of the IP address's. Is there a security setting or something in the ASA that does this? Im at a loss as to why i would get this. I tested from home and it resolves correctly.

dhammink47 Fri, 02/22/2013 - 06:33

I have since long updated to 6.3.1172.4 but still the occaisonnaly Error 503. (Mostly on MAC

Hardly any traffic on the network

CPU CSC SSM module 3%

So no real load. Can anyone explain me how to turn it off entirely ?

Actions

This Discussion

Related Content