Cisco 1800 HTTPS Inspection - Huge performance hit

centralautoparts · ‎06-24-2009

I have a very interesting problem. I have a new 1800 configured via the SDM to route out fasteth 0 with just the default single vlan in place. Service is 5Mbps wireless over radio-link.

After trying to join a webinar after installing this router, I was informed that the required Webex client would take upwards of 90 minutes to download via https.

We recently switched ISP and upgraded equipment so I had lots to troubleshoot, but on a hunch used an available public IP and plugged my PC directly into the internet, bypassing the router. Webex Client loaded and configured in under 2 minutes!

So, router was somehow involved. Poking around I noticed HTTPS inspection turned on under Application Security.

Again on a hunch, I turned this off and webex clients were loading in 1-2 minutes.

I basically have a simple firewall set up blocking certain ports for all users (forcing use of a proxy) except a group of privileged users that have unrestricted access via an exception in the firewall based on their internal static IP.

My question is this: is it normal for https inspection to take such a huge performance hit (90x slower), or is there some unwanted configuration relationship between firewalling and App Security in the SDM that can cause inefficient rules to get created.

I confess I'm not well versed in the IOS.

Any ideas on how to troubleshoot the cause of the slowdown?

I turned off https inspection as a stopgap.

sadbulali · ‎06-30-2009

Inspection rules provide an informational list of services, protocols, and port numbers to which a firewall device applies the Adaptive Security Algorithm (ASA). The default ports or those you specify are the ports at which the device listens for each service.

The default configuration of the firewall device includes a set of application inspection entries that associate supported protocols with specific TCP or UDP port numbers and that identify any special handling required. The inspection function does not support NAT or PAT for certain applications because of the constraints imposed by the applications. You can change the port assignments for some applications, but other applications have fixed port assignments that you cannot change.

You can extend the HTTP inspection capabilities to select which HTTP methods defined in the RFC to permit in HTTP traffic. If the device encounters an HTTP method not permitted, it drops the packet and closes the connection to prevent any subsequent data from traversing the security appliance.

Inspection rules are based on Context-Based Access Control (CBAC) to intelligently filter TCP and UDP packets based on application-layer protocol session information. You can configure CBAC to permit specified TCP and UDP traffic through a firewall only when the connection is initiated from within the network you want to protect. CBAC can inspect traffic for sessions that originate from either side of the firewall, and CBAC can be used for intranet, extranet, and Internet perimeters of your network.

When configuring inspection rules, you should:

1. Populate the Inspection Rules table with device, service, and traffic direction information. To access the Inspection Rules table, select Firewall > Inspection Rules.

2. (For IOS devices) Configure settings for deeper packet inspection. To access settings for inspection rules, select Firewall > Settings > Inspection.