Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

ACE: WebDAV Traffic dropped by inspection

I terminate http and https on the ACE. Within the L4 multi-match policy exists a class for inspection purpose.

The class itself filters on

port misuse p2p

port misuse im

port misuse tunnel

The action for a valid match is reset.

Somehow WebDAV traffic gets matched by any of the above criteria.

The only chance i have to enable WebDAV is to disable/remove the inspection from the multi-match policy.

Is this a "works as designed", "possible bug" or "bad configuration" issue?

Thanks for reading.

Roble

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACE: WebDAV Traffic dropped by inspection

Roble,

after some digging in the code and a discussion with the person in charge of this feature, it appears that webdav is not supported by http inspect. the http method propfind is rejected by http inspect.

This is not considered a bug.

But I believe we might add it with a feature request.

Gilles.

6 REPLIES
Cisco Employee

Re: ACE: WebDAV Traffic dropped by inspection

we can't really say it was designed like this.

Now, it could be that webdav behavior is similar to any of the protocol in the list.

Do you know if the problem is for any of the protocols listed or one in particular ?? Did you try just one of them in your match statement ?

Also, do you have a trace when this occurs so we can look at the webdav request ?

Thanks,

Gilles.

Bronze

Re: ACE: WebDAV Traffic dropped by inspection

Hey Gilles...

The funny thing is any of the single statements causes match.

When the class map is filled with only one "qualifier" e.g. port-misuse p2p the inspection engine drops the packet. I tried it with every single statement. Even when the class map is empty it will drop the WebDAV packets.

I was thinking about a possible whitelist the WebDAV traffic and use the port-misuse statements as blacklist approach.

Currently i am not yet sure how to identify WebDAV Traffic within a class map.

I sniffed the connection and the only thing i see is a "regular" RST packet after the WebDAV Method "PROPFIND".

That is all i could find out so far. In my opinion this could be another bug. Because i see no reason to mark WebDAV traffic as malicious content.

But i would also face a "what the heck have you configured there" statement as long as it helps. :)

Roble

Cisco Employee

Re: ACE: WebDAV Traffic dropped by inspection

ok.

I can see the same behavior in my lab.

I will investigate.

Gilles.

Bronze

Re: ACE: WebDAV Traffic dropped by inspection

Great to hear you could reproduce that behavior. So i probably end up with TAC-Call and a DevImage fixing this.

Roble

Cisco Employee

Re: ACE: WebDAV Traffic dropped by inspection

Roble,

after some digging in the code and a discussion with the person in charge of this feature, it appears that webdav is not supported by http inspect. the http method propfind is rejected by http inspect.

This is not considered a bug.

But I believe we might add it with a feature request.

Gilles.

Bronze

Re: ACE: WebDAV Traffic dropped by inspection

The way to go from here is TAC-Call with a feature request? Or is there another approach i should take?

Anyhow thanks for clearing up the issue.

Roble

377
Views
0
Helpful
6
Replies
CreatePlease login to create content