Have quite an annoying problem and have not had any joy getting any solution from the vendors involved, Apple, Trend Micro, etc.
Cisco ASA5520 with CSC10 Module. Base Licence. IOS and Updates All Up to date
Fairly Standard configuration NAT, VPN, Webmail, SMTP etc.
MD with Windows XP; wants to download from Apple Itunes to Ipod.
Unable to connect to Store and Timeout when trying to download from Itunes Store and Updates.
Logs from ASA as below;
No Logs from CSC Module relating to this problem.
302013 18.104.22.168 80 192.168.250.2 2641 Built outbound TCP connection 5018 for OUTSIDE:22.214.171.124/80 (126.96.36.199/80) to INSIDE:192.168.250.2/2641 (xxx.xxx.xxx.xxx/6725) 305011 192.168.250.2 2641 xxx.xxx.xxx.xxx 6725 Built dynamic TCP translation from INSIDE:192.168.250.2/2641 to OUTSIDE:xxx.xxx.xxx.xxx/6725 304001 192.168.250.2 Accessed URL 188.8.131.52:/eu/r1000/047/Music/60/32/34/mzi.ywqawhpe.aac.a.m4p
305012 192.168.250.2 2641 xxx.xxx.xxx.xxx 6725 Teardown dynamic TCP translation from INSIDE:192.168.250.2/2641 to OUTSIDE:xxx.xxx.xxx.xxx/6725 duration 0:00:30
106015 184.108.40.206 80 xxx.xxx.xxx.xxx 6725 Deny TCP (no connection) from 220.127.116.11/80 to xxx.xxx.xxx.xxx/6725 flags ACK on interface OUTSIDE
302014 18.104.22.168 80 192.168.250.2 2641 Teardown TCP connection 5018 for OUTSIDE:22.214.171.124/80 to INSIDE:192.168.250.2/2641 duration 0:00:29 bytes 366 TCP Reset-I
Tried on different network with ASA5520 and AIP10 no issues.
Identified that the issue is being caused by either the setup of the Trend Micro Scanning Engine or the CSC Module, as have tested by removing the CSC module, and by bypassing scanning, and then the Itunes downloads work without problem.
Found one solution which recommended using Access-Lists to bypass scanning by the CSC Module for specified IP Addresses, this worked temporarily but as you can guess APPLE use myriads of Servers to serve their content, so difficult to track and except all their IP addresses.
In my opinion there must be a bug or some issue with the scanning engine that is causing the TCP Reset-I
There are no URL or FILE Filtering/Blocking setup within the Trend Micro CSC scanning engine, just http scanning.
Yes it appears that deferred scanning is the cause of the issue.
The problem became clearer after a complete reset and configuration of the ASA and CSC.
Prior to the reset, only certain downloads from apple itunes were being affected....... could download other files no problem... very strange.
Had initially believed that because we had enabled the Plus Licence evaluation and tested its features, but then did not renew the plus licence and continued with the base licence that some hidden/old code in the trend micro csc may be causing the issue.
But after the reset to factory defaults of the csc module and the asa, a rebuild of the configuration with latest software/updates etc a new problem occured which led to the fix.
After the rebuild, downloads from ANY site above 10mb would time out, something that did not happen before, thus leading to the deferred scanning configuration.
I guess the fact that certain downloads work prior to the fix, this threw us a curve and led us away from believing that the deferred scanning (not enabled by default) would have any relation to the issue.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :