Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
583
Views
0
Helpful
2
Replies

ACS DB Replcation Fails Through Cisco Firewalls w/Skinny Policy Inspect

swharvey
Level 3
Level 3

‎06-27-2007 12:32 PM - edited ‎02-21-2020 10:18 AM

We run Cisco ACS v3.3 (Windows) on two servers over our WAN, and replcate the internal databases for redundancy. The problem is that replications fail between the ACS servers and it is because of the default port the ACS servers use to replicate over...TCP 2000.

Between the two servers are Cisco ASA firewalls running 7.2.2(19). We run Cisco MGCP VoIP phones between the sites as well, which utilize TCP 2000 for call control.

When the policy-inspect skinny command is enabled on the firewalls, the ACS server replcation breaks, because the firewall sees that the TCP 2000 packets for the DB replication are not VoIP call control packets.

Is there a way to reconfigure the ACS servers so they use a different port other than TCP 2000? (Registry hack, ini file edit, something???)

Frankly, it is rather lame of Cisco to implement an already defined port for their DB replication that defined in IETF as a well know port for the skinny protocol. Even worse is that this problem continues to exist into v4.0 as I understand it.

An no...we should not have to disable the inspect-policy for skinny on the ASA's. :-)

Any help to qwell my frustration on this topic would be appreciated.

Thanks,

-Scott

Labels:
0 Helpful
2 Replies 2

Jagdeep Gambhir
Level 10
Level 10

‎06-27-2007 04:22 PM

Scott,

If disabling the inspection of the skinny protocol is not feasible, the following

configuration sample may be incorporated into the firewall configuration so that replication traffic is not affected by the skinny fixup:

In this example, the ACS servers are at IP addresses 10.1.2.3 and 10.4.5.6.

#Define what traffic you want inspected:

!

access-list skinny_acl extended deny ip host 10.1.2.3 host 10.4.5.6

access-list skinny_acl extended deny ip host 10.4.5.6 host 10.1.2.3

access-list skinny_acl extended permit tcp any any eq 2000

!

#Create a class map to match the acl

!

class-map skinny_map

match access-list skinny_acl

!

#Under the global policy, take the skinny inspection out of the

#class inspection_default, and add it under our new class

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

class skinny_map

inspect skinny

!

service-policy global_policy global

!

###Will be inspected for skinny###

FWSM(config-pmap-c)# show service-policy flow tcp host 172.16.1.2 host 172.16.5.6 eq 2000

Global policy:

Service-policy: global_policy

Class-map: skinny_map

Match: access-list skinny_acl

Access rule: permit tcp any any eq 2000

Action:

Input flow: inspect skinny

FWSM(config-pmap-c)#

###Will not be inspected for skinny###

FWSM(config-pmap-c)# show service-policy flow tcp host 10.1.2.3 host 10.4.5.6 eq 2000

Global policy:

Service-policy: global_policy

FWSM(config-pmap-c)#

Regards,

~JG

Please rate if helps !

0 Helpful

premdeep.banga
Level 1
Level 1

‎06-27-2007 04:40 PM

Hi Scott,

Some add on for what JG has provided,

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCse92069

Bug ID : CSCse92069

Regards,

Prem

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents