Have been having some strange issues with our ASA5520 with CSC10 and managing director trying to download music from the itunes store to his ipod.
We have two ASA5520 at different locations, one with csc 10 module the other with a aip10
The unit with the ASA5520 with the aip10 module has a similar basic configuration with NAT, VPN etc nothing strange, the asa5520 csc10 again is straight forward configuration with NAT, VPN etc.
The ASA5520AIP10 has no issues with itunes downloads thru the firewall.
The asa5520csc10 has downloaded on the odd occasion, but has problems. Have tried everything from initially thinking it was a filtering option within the trend micro csc setup, but excluded the module which made no difference.
Then I noticed in the logs that there was some deny statements for the request to download for itunes, as follows;
6 Feb 03 2010 12:48:56 302013 188.8.131.52 80 192.168.250.2 2641 Built outbound TCP connection 5018 for OUTSIDE:184.108.40.206/80 (220.127.116.11/80) to INSIDE:192.168.250.2/2641 (xxx.xxx.xxx.xxx/6725) 6 Feb 03 2010 12:48:56 305011 192.168.250.2 2641 xxx.xxx.xxx.xxx 6725 Built dynamic TCP translation from INSIDE:192.168.250.2/2641 to OUTSIDE:xxx.xxx.xxx.xxx/6725 5 Feb 03 2010 12:48:56 304001 192.168.250.2 Accessed URL 18.104.22.168:/eu/r1000/047/Music/60/32/34/mzi.ywqawhpe.aac.a.m4p 6 Feb 03 2010 12:49:26 305012 192.168.250.2 2641 xxx.xxx.xxx.xxx 6725 Teardown dynamic TCP translation from INSIDE:192.168.250.2/2641 to OUTSIDE:xxx.xxx.xxx.xxx/6725 duration 0:00:30 6 Feb 03 2010 12:49:25 106015 22.214.171.124 80 xxx.xxx.xxx.xxx 6725 Deny TCP (no connection) from 126.96.36.199/80 to xxx.xxx.xxx.xxx/6725 flags ACK on interface OUTSIDE 6 Feb 03 2010 12:49:25 302014 188.8.131.52 80 192.168.250.2 2641 Teardown TCP connection 5018 for OUTSIDE:184.108.40.206/80 to INSIDE:192.168.250.2/2641 duration 0:00:29 bytes 366 TCP Reset-I
It would appear from the logs that itunes attempts to build a connection back thru the firewall, but have also seen some deny statements from lots of different IP addresses related to itunes all at the same time.
Any ideas what I am missing, just thrown me a curve when have one asa firewall working fine with no special config, and one that does not cant get my head round it.
Do you have any other device on the inside like websense or other content scanning device? It appears with the Reset-I that the connection for reset from the higher security interface after which packets arriving from the internet website are being dropped for "Deny tcp no connection" message which perfectly makes sense.
Yes it appears that deferred scanning is the cause of the issue.
The problem became clearer after a complete reset and configuration of the ASA and CSC.
Prior to the reset, only certain downloads from apple itunes were being affected....... could download other files no problem... very strange.
Had initially believed that because we had enabled the Plus Licence evaluation and tested its features, but then did not renew the plus licence and continued with the base licence that some hidden/old code in the trend micro csc may be causing the issue.
But after the reset to factory defaults of the csc module and the asa, a rebuild of the configuration with latest software/updates etc a new problem occured which led to the fix.
After the rebuild, downloads from ANY site above 10mb would time out, something that did not happen before, thus leading to the deferred scanning configuration.
I guess the fact that certain downloads work prior to the fix, this threw us a curve and led us away from believing that the deferred scanning (not enabled by default) would have any relation to the issue.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...