Re: Long URL not allowed by ASA - Page 2

Federico Coto Fajardo · ‎02-04-2010

Hi All,

I am trying to download a file, but I get redirected to a very long URL and I'm wondering if this could be the reason why the ASA is dropping the connection.

If I try to download the file without going through the ASA, it works fine.

The problem is that the url is an https connection, and I don't seem to get an error when I do a Packet Tracer the connection goes fine, but I cannot test the Packet Tracer connection up to the final URL. Same happens with the ASP drop, I don't see the message that tells me why the connection is being blocked.

There is so much traffic that I cannot filter the logs to see what's going on.

I tried a capture but since its HTTPS I don't see any reason.

My question is:

Is it possible that since the URL is too big, the ASA might be blocking it?

I've tried incrementing the size of the DNS replies and the body of the HTTP inspection and that did not help.

Please let me know your comments or suggestions.

Thank you,

Federico.

Federico Coto Fajardo · ‎02-05-2010

Look at the results:

ASA(config)# sh run nat

nat (inside) 1 access-list NAT
nat (inside) 5 172.16.10.34 255.255.255.255
ASA5510-FuSioNet(config)# sh run glob
global (SHDSL) 1 interface
global (SHDSL) 5 201.198.233.91
ASA(config)# sh access-l NAT
access-list NAT; 5 elements
access-list NAT line 1 extended permit ip 172.16.10.0 255.255.255.0 any (hitcnt=0) 0xf77313a8
ASA(config)# sh xlate local 172.16.10.34
146 in use, 746 most used
PAT Global 201.198.233.90(49408) Local 172.16.10.34(5023)
PAT Global 201.198.233.90(63289) Local 172.16.10.34(5051)
PAT Global 201.198.233.90(34280) Local 172.16.10.34 ICMP id 1
ASA(config)# clear local 172.16.10.34
ASA(config)# sh xlate local 172.16.10.34
124 in use, 746 most used
PAT Global 201.198.233.90(48129) Local 172.16.10.34 ICMP id 1
ASA(config)#

The Policy NAT takes precedence over regular NAT (even if it is more specific).

I'm still getting out with the ASA's IP address.

I did a static NAT with the .91 address, and I do get translated to .91

static (inside,SHDSL) 201.198.233.91 172.16.10.34

Now, I'm getting translated to .91 but I attempt to get to the URL and I get the same problem. So it is not a problem with the IP, what could it be?

Thanks,

Federico.

Kureli Sankar · ‎02-05-2010

NAT order of operation

    1) nat 0 access-list (nat-exempt)
    2) match against existing xlates
    3) static
       a) static nat with and without access-list (first match)
       b) static pat with and without access-list (first match)
    4) nat
       a) nat  access-list (first match)
       Note: nat 0 access-list is not part of this command.
       b) nat    (best match)
       Note:  When choosing a global address from multiple pools with
       

So, this explains why policy nat took precedence.

Now, all I can say is looking at captures your inside host doesn't hear back from the outside host for more than 60 
seconds and so sends a reset.

You are probably seeing Reset-I in the syslogs indicating a reset coming from the higher security interface? correct?

Have you tried to reduce the MTU on the outside interface to see if you have any success?
What code was the old ASA running and what code is the new ASA running. 
Old ASA was also using the same IP scheme?
It surely appears pretty interesting. 

-KS

Federico Coto Fajardo · ‎02-08-2010

Hi KS,

I have a question. If I reduce the MTU on the outside interface will that drop all the connections?

ASA(config-if)# int e 0/0
ASA(config-if)# mtu outside ?

configure mode commands/options:
<64-65535> MTU bytes

I have a weird situation because this is what I did:

I came to my office where I also have an ASA 5510 running asa804-k8.bin and the same exact thing happens.

I mean, if I remove the ASA, I am able to download the file from the HTTPS site. If I put the ASA back in place, I get the same error.

So, there's definitely something in the ASA dropping this connection (and not on a single ASA, but on every ASA)....

If you can try it yourself... I want to give you the steps so that you can attempt to download this file either through the ASA and bypassing the ASA.

Can you do it if I give you the steps?

I just don't want to share them with you here, because are secure credentials? How do I share them with you?

Thank you!

Federico.

Kureli Sankar · ‎02-08-2010

No it will not drop all connections. It will start sending more - small size packets that is all.

Give that a shot. MTU outside 1400 (start at that) or you can do

sysopt connection tcpmss 1300

Do you have smartnet? If so, it will be easier to open a TAC case quickly online.

Let me know the case number.

-KS

Federico Coto Fajardo · ‎02-08-2010

Hi KS,

I identified the problem.

This is part of my configuration on the ASA:

#################################################################

regex blockex1 "/onthefarm"
regex blockex2 "apps\.facebook\.com"

class-map inspection_default
match default-inspection-traffic

class-map type inspect http match-all block-url-class
match request uri regex blockex1
match request header host regex blockex2

policy-map type inspect http block-url-policy
parameters
class block-url-class
drop-connection log

policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect icmp
inspect pptp
inspect sip
inspect http block-url-policy

service-policy global_policy global

#################################################################

I have the above configuration because of a requirement to block the ''Farmville'' game on Facebook and it works great.

If I remove the http inspection:

ASA(config)# policy-map global_policy
ASA(config-pmap)# class inspection_default
ASA(config-pmap-c)# no inspect http block-url-policy

Then, I am able now to download the file through the ASA.

But, now everybody is able to access the ''Farmville'' game again....

So, how do I block the game and still allow access to the site? Or a better question will be.... how do I find out why the connection to this specific HTTPS site (then converted to HTTP somehow), is being denied by the ASAs?

Also, everytime that I attempt to access the HTTPS site giving me problems, the violation on the HTTP inspection increments:

ASA(config)# sh service-policy inspect http

Global policy:
Service-policy: global_policy
    Class-map: inspection_default
      Inspect: http block-url-policy, packet 248276, drop 23, reset-drop 2
        protocol violations
          packet 11
        class block-url-class
          drop-connection log, packet 0

How do I determine the reason why the ASA is dropping packets to this site????

Thank you!

Federico.

Kureli Sankar · ‎02-08-2010

Nice find. I did notice the http inside the https in the capture.

You can remove http inspection from the class default and then add a separate class and use an acl to match all http traffic but just above the permit add a deny to deny the flow to this one particular website. I think that should do it so, you get to block this farmville game on FB.

-KS

Federico Coto Fajardo · ‎02-08-2010

Thank you KS, but I need some help in doing that...

For example, this is the configuration that I currently have to block the farmville game:

#############################################################

regex blockex1 "/onthefarm"
regex blockex2 "apps\.facebook\.com"

class-map inspection_default
match default-inspection-traffic

class-map type inspect http match-all block-url-class
match request uri regex blockex1
match request header host regex blockex2

policy-map type inspect http block-url-policy
parameters
class block-url-class
drop-connection log

policy-map global_policy
class inspection_default
inspect http block-url-policy

service-policy global_policy global

#############################################################

So, I want to add the rule to NOT inspect http traffic to this site: https://licensing.adobe.com

This site resolves to IP 192.150.14.76

So, would the configuration that I should add look like this??

#############################################################

regex allow1 ".*adobe.*"

access-list user-acl extended deny tcp any host 192.150.14.76 eq www
access-list user-acl extended permit tcp any any eq www

class-map type inspect http match-all Allow-Sites
match access-list user-acl
match request header host regex allow1

#############################################################

How do I bind this new class to the global service policy?

service-policy global_policy global

My goal (as you mentioned), is to inspect http to all sites (except 192.150.14.76), while still having the rule for blocking the farmville game.

Thank you!!

Kureli Sankar · ‎02-08-2010

conf t

policy-map global_policy
class inspection_default
no inspect http block-url-policy ----remove from default

exit

conf t

access-list allow-http extended deny tcp any host 192.150.14.76 eq www
access-list allow-http extended permit tcp any any

class-map ins-http
match access-list allow-http

policy-map global_policy

class ins-http
inspect http block-url-policy ----re-add under a diff. class

-KS

Federico Coto Fajardo · ‎02-08-2010

Hi KS,

Thank you.

I did it but the problem persisted, but is the correct solution.

It is because the final destination (where the file is being downloadable) is not the same IP as the original destination in the HTTP request (192.150.14.76).

I am going to have to find out that IP and do it like that then....

This would be the only way to accomplish this correct?

Thank you again,

Federico.

Kureli Sankar · ‎02-08-2010

That would be correct.

You could also use this command to see if this flow will be inspected by http. You can also make that deny acl as ip instead of tcp and specifying the port 80.

sh service-policy flow tcp host x.x.x.x host 192.150.14.76 eq 80

-KS

Federico Coto Fajardo · ‎02-10-2010

Hi KS,

I want to thank you because your suggestions are very helpful. I've found the final IP address for the download, apply it to the ACL and it worked fine (no HTTP inspection to that IP).

I have another question though.

We have seen many sites now that are having problem through the ASA with the HTTP inspection enabled. All the sites work perfectly when disabling the HTTP inspection.

So my question is.... could it be that those HTTP sites are not compliant with the RFC for HTTP and therefore being dropped by the ASA? But so many sites??? Seems weird to me.... How do I find out why a particular HTTP flow is being dropped by the ASA when it is being inspected?

Thank you very much again!

Federico.

Kureli Sankar · ‎02-10-2010

Read this thread pls. We have discussed various issues that can cause website load failures.

https://supportforums.cisco.com/message/3015828#3015828

As for where to find that packets are dropped due to RFC voilation and inspection fail; it will be in the syslogs. Make sure to enable debug level and look through the logs when the site fails to load.

-KS

Federico Coto Fajardo · ‎02-11-2010

Thank you KS, I will check the syslogs to see if I can find the reason why these sites are

being blocked by the http inspection.

I've gone through the threat you mentioned as well....

It will be a lot easier for me, if there's a way to enable/disable the http inspection just for some particular http sites on the ASA.

As far as I've seen, the only way to accomplish this is with an ACL (therefore having to put an IP address, instead of the URL, not really resolving much)

Thank you,

Federico.

Erik Ingeberg · ‎02-11-2010

This is an interesting thread, and I would like to add some comments.

You say you want to allow traffic from https://licensing.adobe.com. In your config, you have a "match-all" class map that matches both the "request header host" field ("apps\.facebook\.com") and the "request uri" ("/onthefarm").

This means that trafikk will only be dropped when both these fields are matched. Since the request header host field when "licensing.adobe.com" does not match the regex "apps\.facebook\.com", and the needed URI is not there, this traffic should not be dropped due to http inspection. It would not match the requirements of the class map. My point is that there is no need to excempt an IP from this rule, since you already specified that it only applies to apps.facebook.com, AND with an URI of /onthefarm.

As for the RFC violation, I couldn't see the command in the config you posted, but perhaps it has been added later? The command that could be dropping your traffic is:

policy-map type inspect http block-url-policy
parameters
protocol-violation action drop-connection log

Check your config to see if it's there, also the "log" keyword at the end is optional. If you're missing it you won't see why this traffic is being dropped in the logs.

I'm not a big fan of the protocol-violation command, I just realised that even this support forum won't let me log in if I have the protocol-violation dropping turned on...

Federico Coto Fajardo · ‎02-11-2010

Thank you for your comments!

I want to ask you something....

Is there a way to turn the HTTP inspection on on the ASA and exempt some sites from the inspection?

I know that I can define an ACL to avoid HTTP inspection from that ACL, but on an ACL I can only specify IP addresses (not domains)

For example, if my goal would be to inspect HTTP through the ASA with the HTTP inspection but avoid inspecting a number of domains, sites, etc...

The only way is with an ACL applied to the inspection?

Thank you!!

Federico.